- In the Netherlands, the claim for damages under Art. 82 GDPR can be asserted either together with an administrative complaint or independently before a civil court.
- The GDPR does not determine the determination and calculation of the damage; national law regulates the burden of proof and scope, whereby actual and certain damage is required.
The Dutch Council of State has issued a Decision from April 1, 2020 (thanks to Christian Drechsler for the reference!) stated that
- the claim for damages within the meaning of Art. 82 GDPR can, at the choice of the aggrieved party, be asserted together with a complaint before the administrative authorities or independently before a civil court (in any case in the Netherlands, whereobeio above EUR 25,000 only the civil courts have jurisdiction);
- the Determination and calculation of the claim for damages as a result of a data protection breach (here: delayed information) is not specified by the GDPR and is therefore a matter for the national law (whereby “effet utile” is to be observed in particular);
- according to recital 146[mfn][…] The concept of damage should be interpreted broadly in the light of the case-law of the Court of Justice in a way that is fully consistent with the objectives of this Regulation. This is without prejudice to claims for damages based on infringements of other provisions of Union law or the law of the Member States. […][/mfn], the concept of damage must be interpreted broadly. According to the case law of the ECJ (e.g. Rs. C‑337/15 P para. 91), however, the damage to be compensated must be “actual and certain”;
- a Violation of the GDPR as such does not prove any damage yet:
There is no reason to assume that a breach of the GDPR already implies an attack on the integrity of a person and therefore leads to compensable damage. Contrary to [the appellant’s] submission, this cannot be deduced from recitals 85 and 146 of the recitals to the GDPR. The fact that a personal data breach may lead to (im)material damage and that a data subject must receive full and actual compensation for the damage suffered, does not mean that a violation of the standards by definition leads to damage.
- an initially incomplete information does not then constitute a serious culpable conduct so serious as to constitute a violation of a fundamental right;
- the compensation for damages under the GDPR has not punitive in nature. Rather, the purpose is to remedy an unlawful interference with privacy or to provide compensation. Recital 146 also does not say that the compensation must be effective and “dissuasive”;
- the injured party should therefore have provided concrete evidence of the damage incurred, which he failed to do.
In a parallel case, the Council of State awarded compensation of EUR 500. Here, medical data had been erroneously forwarded to a disciplinary committee of the health care system, which had apparently caused immaterial damage.
The situation is different under Art. 82 GDPR from that under the California CCPAwhich provides for a claim for “damages” even in cases where no damage has occurred (e.g., a lump sum of USD 100 – 750 per data breach, unless the real damage is higher).