A data breach hit | Privacy | Deloitte NL


A data breach hit – how to address potential damage claims

Of course your organization is working hard to prevent data breaches, but chances are high that at some point you will be affected by a data breach. High fines, remediation costs and reputational damage are well-known potential consequences. And yet, there is another potential consequence that organizations may face: civil claims for damages. This blog explores how your organization can address potential damage claims in case of a data breach.

Written by Nina de Jongh | November, 2019

Not only controllers, but also processors can now be held liable

When your organization is affected by a data breach, all individuals who have suffered damages from this breach have the right to full and effective compensation. This means, for example, when your customer data or employee data is exposed because of a data breach, individuals have the right to claim damages. Previous legislation only provided for the option to bring damage claims against data controllers, but the liability rules have expanded! Since the GDPR has come into force, individuals can also claim damages directly from data processors. So processors, be aware: even when you have never directly interacted with the individuals themselves, you may expect direct claims when (partly) responsible for damages!

For individuals it can be difficult to get a grip on the specific liabilities of the parties involved. Therefore, individuals are entitled to claim the total amount with one of the parties involved in the breach. This organization then can be held liable for the entire compensation towards the individual, regardless of whether they are a controller or a processor. The party that is held liable may subsequently institute recourse proceedings against other controllers and/or processors involved. To that extent, it is important that data processing agreements between controllers and processors clearly set out each party’s obligations. It is essential to include a compensation clause in the contract in the event that a claim is brought against your company as a result of a breach by the other party.

Compensation for material and non-material damages

Any individual who has suffered ‘material’ or ‘non-material’ damages as a result of a data breach has the right to receive compensation for the damages suffered. This means that individuals can bring damage claims for financial losses (material damage), but also for non-financial losses such as reputational damage or psychological distress (non-material damage). The national courts determine whether the threshold of material or non-material damage is met and if it is, they will also determine the amount that is needs to be rewarded.

In the past couple of months, the Dutch court has decided in favor of claims for damages on the basis of non-material damage due to GDPR infringements twice. In both cases, the definition of non-material damage was interpreted broadly by the Dutch court: the loss of control over personal data was qualified as non-material damage. If organizations do not respect the right of individuals to be in control of their personal data, which is a fundamental right according to the Dutch court, individuals can rightfully claim damages. Amounts of €500 and €250 were found to be appropriate in the two cases. The claims before the Dutch court were made by an individual, however, several European countries allow for collective claims or class action. If a data breach hits your organization and affects a large number of individuals, collective claims or class action can amount to compensation that may be much higher.

Be proactive and tune in to the needs of the individuals

When your organization is affected by a data breach that involves a large number of individuals (your customers, but don’t forget about your employees!), every step you take will be closely followed. With rising public awareness about privacy and the rights individuals have, it is crucial to be aware of the situation the individuals are in and how they expect to be treated when their data is exposed. For example, if there are steps that individuals can take to reduce chances that their information is misused, let them know immediately. In your communication, be open about the risks that the individuals are facing and provide contact information that they can turn to for concerns about the breach. Can you provide relief in the costs individuals need to make following the breach? Or can you provide services specific to your industry that will further assist individuals in the process? You may even think of discounts. Recognize the needs of the individuals and offer them services that make sense. In this way, you can build trust, even in a breach situation.

More information

For more information about how to address potential damage claims, please contact Annika Sponselee or Shay Danon via the contact details below.

Did you find this useful?