Skip to main content
indemnizacion proteccion de datos

Compensation for moral damages: Art. 82 GDPR

Is compensation due to a breach of the GDPR possible?

Requesting compensation due to a breach of the data protection regulation is absolutely possible, as indicated in Art. 82 of the GDPR. In fact, citizens are becoming increasingly aware of this right and are requesting it more frequently, at least with regards to enquiries made to the firm.

What is the difference between requesting compensation and reporting to the Spanish Data Protection Agency (AEPD)?

There’s a big difference. Compensation consists of requesting a restitution due to a breach of the data protection regulation that may have a financial or moral effect on someone. It is requested through the ordinary courts and, logically, can only be requested by the party affected by the breach.

The purpose of reporting to the AEPD, however, is to indicate that a company or enterprise has breached the GDPR and results in the imposing of a fine or, where appropriate, a warning. Unlike compensation, in this case the amount of the penalty (if financial) is paid to the Government authorities. Another significant difference is that it does not have to be the party affected that files proceedings
with the AEPD or with an independent data protection authority.

Examples of a breach of the GDPR that do not necessarily involve direct damages
may include not having a Record of Processing Activities, which is undoubtedly an
obligation of the GDPR but would not often cause actual damages to those

From whom and when can data protection compensation be claimed?

Art. 82 of the GDPR is clear in so much as compensation can be requested from “controllers or processors“. Therefore, the claim can be made to any enterprise or company involved in data processing.

Despite this general indication, the same art. 82 GDPR states that the controller may be liable when it infringes the GDPR and, however, the processor may only be liable when it infringes obligations that the GDPR specifically directs at processors or when it has acted outside or contrary to the instructions of the

What type of damages may be subject to data protection compensation?

Compensation must be considered a reparation or indemnity for the damage caused. There are generally two types of damages subject to compensation: financial or economic damages or moral damages. As well as the criteria indicated, the damage must be proven, which is not always a simple feat and, in
practice, calls for proof that the damage is real.

Financial damages are infringements of the GDPR that affect the assets of the person affected. The most commonplace of these, for example, is having been included in a file of defaulters without any justification, where this has led to financial damages for the person affected. Financial or economic damages can be proven more easily than moral damages.

Moral damages, however, are more difficult to prove and require that the person affected proves, in the words of case law: “mental or spiritual anguish that may cause certain behaviour, activities or even results in the individual, whether involving direct or immediate aggression on material assets or whether the
attack affects extrapatrimonial wealth or the personality”. To this end, any psychological report that proves the suffering caused to the affected person will be necessary or, at least, highly recommended.

What if my company is in breach?

In the case of the company or enterprise causing the damages, (1) check and, where appropriate, update your data protection protocols as soon as you become aware of the claim, (2) if the damages are caused by a security incident, apply the requirements of the GDPR and (3) listen to the claim and analyse whether it actually has any grounds and, if so, analyse how to minimise the risk or damages caused.

If you need more information about data protection, contact us!

    Information on data protection

    Company name
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.

    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.

    Further information
    See the Privacy Policy.