Harm from a breach of personal data security

Is it possible to claim damages for a breach of your data security? The NRA case from the summer of 2019 raised many questions about how and who processes and stores our data.

This article aims to clarify the main points regarding citizens' personal data.

1. What is personal data?

As defined in Regulation 2016/679 (GDPR) Personal data (or PD for short) is any information relating to an identified or identifiable individual. The latter includes any data such as name, personal identification number, location, genetic, mental, physical, etc. identity of that individual (PD subject).

2. What protection do LDs enjoy?

Individuals provide their personal data for processing to various private and public entities. In this case, the entities (institutions/legal entities, and in some cases other individuals) are Data Controllers or Data Processors. The collection and processing they carry out must be in accordance with one of the grounds in the Regulation. In general, these are:

– explicit consent of the subject;

– conclusion of a contract;

– compliance with a legal obligation;

– protection of vital interests of the subject;

– performance of a task of public interest or exercise of official authority;

– legitimate interest of the administrator, respectively of a third party.

In addition to the need for a basis for collecting and processing personal data, controllers are also required to comply with the requirements regarding the manner and conditions of storage of personal data, their accessibility and their deletion. The controller must implement appropriate technical and organizational measures to ensure lawful processing. In particular, such measures ensure that, by default, without the intervention of the individual, personal data are not accessible to an unlimited number of individuals.

This is a legal obligation of data controllers. Failure to comply or inadequate compliance is considered a violation of the Regulation.

3. What are the consequences if administrators process personal data in violation of the requirements?

A good example of this is the recent „leak“ of personal data from the National Revenue Agency (NRA) system. Insufficient technical and organizational measures for data protection led to external intrusion into the system and unauthorized access to these data by third parties. The mere fact that the administrator can no longer exercise control violates the interest of the data subject and the former is liable.

4. Can I claim compensation for the unlawful processing/access to my personal data?

According to Art. 82 of the Regulation, individuals have the right to compensation from the controller, respectively from the processor of the personal data for damages resulting from a violation of the requirements of the Regulation. Damages can be both material and non-material, and they are subject to proof. Non-material damages represent the physical and emotional suffering, as well as all other negative experiences that you have gone through as a result of the damage. The compensation for them is determined by the court in equity.