Data leaks: Do I have the right to compensation?
Data leaks have become regular news in our every-day lives. In the last few days alone, the news has been full of the data leak on Facebook (more than 500 million affected worldwide, 11 million Spaniards) or LinkedIn (also more than 500 million affected).
The figures are really huge and statistics show that over the years, these data leaks caused by computer attacks or the negligence of companies are increasing.
What rights do I have if I am affected by data leaks?
If your data has been exposed by any of the service providers you use, you should know that according to current regulations, they must assess whether or not you should be informed of the incident. Therefore, this notification is not always compulsory: only in the most serious cases (for example, exposure of passwords or situations that could lead to cases of theft or the usurpation of user identity).
Therefore, it is highly likely that your personal data has been leaked and you are unaware of such, because the provider believes that the situation is not serious enough to notify you.
If you suspect that your data might have been affected, which is more likely, for example in the two cases cited as massive data leaks, you can always file a complaint with the Spanish Data Protection Agency which, among others and if it believes it justified, will ask the company for explanations regarding the security measures adopted and why those affected were not informed of the incident.
Ultimately, the Spanish Data Protection Agency may sanction the controller, but it is important for you to know that, in this case, this is an administrative penalty, a fine, that the company must pay, if considered responsible, to the Spanish Data Protection Agency but that you, as the affected party, will not receive any compensation.
Can I be compensated?
The answer is clearly yes and this is what Art. 82 of the GDPR states:
“Any person who has suffered material or immaterial damages as a result of an infringement of this Regulation, shall have the right to receive compensation from the person in charge or the person in charge of the treatment for the damages suffered.”
According to this article (which already existed in the previous regulation), any person who has suffered economic or moral damage due to a leak of their data can request compensation in the competent courts.
As always in damages law, it will be the injured party that must prove said damages, which can be relatively easy to quantify if they are financial (for example, if the data leak has involved a subsequent fraud), but things get complicated in the case of moral damage.
It is common for reported data leaks to be limited, in most cases to not-particularly sensitive data: telephone numbers, email addresses or simulated data, so financial damages, should they occur, would in theory be minimal, and moral damage would be very difficult to prove.
As we say, sometimes financial damages go beyond the value of the “stolen” data itself, but can have consequences if scams are committed with that data. Thus, it seems complicated in practice for a single individual to initiate a high-cost judicial procedure with an uncertain result due to a data leak without there being evident and provable damages beyond the value of the data itself.
Collective actions, likewise, which might seem a good solution in this case, have not been seen in our jurisdiction in this area either, as the regulations reserve them for groups of consumers and users and are used to protect a superior good such as, in this case, the market
Other countries, such as the USA, have an advantage where class actions and even arbitration proceedings are very common in cases of data leaks.
In summary:
If you have been affected by a data breach or think you might have been:
- Contact the controller, if they have not contacted you, to ask for an explanation.
- If they do not give you an explanation or any given are insufficient, file a complaint with the Spanish Data Protection Agency.
- If you can prove financial or moral damages, assess the claim for damages through the civil courts.
If you have any doubts about this or any other issue, please contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision.
Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.