CM Haughey Ruling from Data Protection Commission 8th February 2021 – Malpractice Lawyer Dublin

CM Haughey Ruling from Data Protection Commission 8th February 2021


Are victims of data breaches entitled to compensation?

This recent ruling by the DPC arose out of a complaint made by one of our Clients against a firm of solicitors for a personal data breach under Article 33 of the GDPR which occurred when an employee of the firm of solicitors brought legal documents in relation to our Client`s ongoing legal proceedings home for review and which were contained in a unsecured bag in the boot of the employee`s car.

It is worth noting that firms of solicitors are deemed both data controllers and data processors under Article 4 of the GPDR.

Furthermore, data controllers and data processors can be legal or natural persons which simply means any person or entity which processes the personal data of a data subject is subject to the strict rules of the GDPR.

Turning to the facts giving rise to the Ruling, when the employee in question arrived home, the legal documents were stolen from the boot of the employee`s car.

The firm of solicitors subsequently reported the matter to the DPC (the time limit for reporting a data breach under Article 33 is 72 hours) and described the event as an “opportunistic theft”.

The theft was also reported to the Gardai however the legal documents which were acknowledged as highly confidential and sensitive were never recovered.

In the spirit of the GDPR and our Data Protection Act, 2018 consideration was given to the option of “an amicable resolution” pursuant to Section 109(2) of the 2018 Act however this was not possible.

On the basis of the information provided to the DPC by this firm and the employee`s firm, the DPC concluded it`s examination of the personal data breach notification.

As part of the investigation process, the DPC drew the attention of the employee`s firm of solicitors to it`s ongoing obligation to adhere to data protection law including the duty to implement appropriate technical and organisational measures to ensure security for personal data.

In it`s Ruling the DPC referred to the relevant law as Articles 5(1)(f) and 32 of the GDPR which provide: –

  • personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing (including the disclosure or making available of personal data), using appropriate and technical organisation measures.
  • data controllers are required to implement appropriate technical and organisational measures to ensure a level of security of processing of personal data appropriate to the risk.

The DPC concluded that pursuant to Section 109(5)(f) it was apparent a breach of security had occurred leading to the unauthorised disclosure of or access to the personal data of our Client resulting in a specific request to the firm of solicitors in question to take certain actions in order to reduce the likelihood of such incidents from re-occurring.

Significantly the DPC added an Addendum to it`s Ruling noting the right of our Client to pursue a claim for compensation for the breach under Section 117 of the Data Protection Act, 2018. This what the DPC stated :-

Data controllers and data processors may be liable under Section 117 to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession. It is a matter for any individual who feels she/he may have suffered damage as a result of a failure on the part of the data controller/processor to meet it`s data protection responsibilities to take legal advice as appropriate. This office has no function in relation to the taking of any such proceedings under Section 117 or in the provision of such legal advice “

So, it is clear that where a data subject can establish a data security breach resulting in an unauthorised disclosure or access to his/her personal data that he/she is entitled to seek compensation against the data controller/processor under the principles of tort law, in other words duty of care principles.

This entitlement to compensation for material and non-material damage, financial loss, expense and emotional suffering is enshrined in Article 82 of the GDPR and is a significant expansion of the right to claim compensation for data breaches.

Prior to the coming in to effect of the GDPR in May 2018, a data subject could only seek compensation for material damage, for example proven financial loss.

With regard to the new concept of non-material damage, for example emotional suffering if the data subject can independently establish that he/she has suffered distress ie a psychological damage he/she may be entitled to additional compensatory damages on top of the award of damages marking the occurrence of breach.

The route to seeking compensation by way of damages for the breach and/or for psychological injury can be as simple as requesting the data controller/processor guilty of the data breach to pay compensation and there does not appear to be a legal time limit to making such request once the breach has been established and/or acknowledged.

If the data controller/processor refuses or neglects to deal with the request for compensation by way of damages or disputes any aspect of the request then the data subject has the right to issue proceedings before the civil courts pursuant to provisions of Section 117, the details of which are set out below.

With regard to what is an appropriate award of damages for a data breach or a data breach which also asserts a claim for compensatory damages for psychological injuries, the Irish case law at present does not provide any guidance as there have been no cases reported to-date post the GDPR regime.

Recital 75 of the GDPR provides a helpful explanation as to what is deemed material and non-material damage and is also set out below.

In the UK awards for data breaches range from £1000 to £40,000.

If you have been the victim of a data security breach, we would be happy to advise you regarding the submission of a complaint to the DPC; the data controller/processor and with regard to your potential right to seek compensatory damages.


Data Protection Act 2018 – Section 117

Judicial Remedy for infringement of relevant enactment

  1. (1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned.

(2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort.

(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High Court, have jurisdiction to hear and determine data protection actions

(4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more than one of the following reliefs:

  • relief by way of injunction or declaration; or
  • compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment.

(5) The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort.

(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the judge of any circuit in which—

(a) the controller or processor against whom the data protection action is taken has an establishment, or

(b) the data subject has his or her habitual residence.

(7) A data protection action may be brought on behalf of a data subject by a not-for-profit body, organisation or association to which Article 80(1) applies that has been mandated by the data subject to do so.

(8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs

  • relief by way of injunction or declaration; or
  • compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment

(9) A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers.

(10) In this section—

“damage” includes material and non-material damage;

“injunction” means— 

  • an interim injunction,
  • an interlocutory injunction, or
  • an injunction of indefinite duration.


GDPR – Recital 75

Risks to the Rights and Freedoms of Natural Persons

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.


Caoimhe Haughey August 2021






1800 93 88 93

Contact Info

C.M. Haughey Solicitors,
Christchurch Hall, High Street,
Dublin 8,

Tel (01) 421 4220,
Fax (01) 454 8338

Latest Tweets

*In contentious business, a solicitor may not calculate fees or other charges as a percentage or proportion of any award or settlement.

*This statement is made in compliance with Reg. 8 of the SI 518 or 2002.