An Irish circuit court has awarded a factory worker 2,000 Euros in compensation after his employer used CCTV footage of him as part of a training video. Arkadiusz Kaminski claimed that the footage had been used without his permission, which constituted a breach of the General Data Protection Regulation (GDPR).
Kaminski claimed that his colleagues had be able to recognise him in the training video, in which he had been used as an example of poor work practices. As a result, he had been mocked by his coworkers, and suffered anxiety, embarrassment, and sleep disturbance.
The case sheds significant light on who could be entitled to claim compensation for non-material damages under the GDPR. As a result, it could have significant implications for those who have been victims of a GDPR breach.
In this post, we’ll break down the details of the case and look at how what it tells us about non-material damages for data breaches. Then, we’ll provide some advice on seeking compensation if you’ve been affected by a GDPR breach.
Background of the case
In 2019, Kaminski was working as a supervisor at Ballymaguire Foods, an Irish food manufacturer. During a meeting attended by supervisors, managers and other staff, various CCTV clips were shown for training purposes. One of the clips – which were being used to highlight poor food safety practices at the company – featured Kaminski.
Kaminski had not been present at the meeting. However, he was subsequently told by colleagues that he’d been “caught doing something he shouldn’t have been doing”, according to a report in the Irish Times. He was subject to mockery and felt that, as a supervisor, his authority had been undermined. The footage itself was also available for two weeks after the incident on a communal work computer, which was not password protected.
Kaminski initially contacted the Irish Data Protection Commission (DPC), the independent national regulatory authority for data protection in Ireland, about the incident. However, the DPC was struggling with a backlog of complaints, leading to delays in Kaminski’s case being taken up. As a result, he decided to issue court proceedings in order to seek compensation.
The specifics of the claim
Kaminski claimed that Ballymaguire Foods had breached his GDPR rights because they did not have a legal basis for using his image for training purposes. As he was identifiable from the image, it constituted his personal data for data protection purposes, and so a legal basis for sharing it was required.
He also claimed that, as a result of this GDPR breach, he suffered non-material damages – namely, the stress and upset caused by the incident and his colleagues’ reaction to it.
The GDPR gives victims of a data breach the right to receive compensation if they have suffered damages as a result of a data breach. These can be material damages (e.g., financial losses) or non-material damages (emotional suffering or distress). However, there has been some uncertainty around when the upset caused by a data breach qualifies as non-material damage, and therefore entitles the victim to compensation.
In response to Kaminski’s claim, Ballymaguire Foods argued that they had data protection policies in place covering the use of CCTV footage for training purposes. As a result, they believed there had been no breach of GDPR. Further, they denied that the harm suffered by Kaminski was sufficient to constitute non-material damages, arguing that “mere upset, anxiety and embarrassment” fell short of meeting this requirement.
Key questions in the case
The key questions raised by this case relate to how non-material damages are understood in relation to the GDPR. Therefore, they have significant implications for who may be entitled to claim compensation for a data breach.
The relevant passage in the GDPR, Article 82(1), reads as follows:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
The phrasing of the Article clearly suggests that, in order to seek compensation for a breach of GDPR, some damage has to be suffered as a result of the breach. However, it does not clearly set out how “damage” should be understood, especially if this damage is “non-material” – that is, if it doesn’t result in a measurable impact such as a financial loss.
As Judge John O’Connor put it in his detailed judgement in the case, which can be read online here, this meant there were three key questions that needed to be decided:
- Had the GDPR been breached in this case?
- If so, had this led to non-material damage rather than “mere upset and embarrassment”?
- If so, how could the appropriate compensation be calculated?
The latter two questions are particularly significant – and particularly challenging. The rights of data breach victim to seek compensation depend on what counts as non-material damage, and how this can be distinguished from “mere upset”.
In answering these questions, Judge O’Connor referred to a recent decision by the European Court of Justice, which has major implications for how the GDPR should be interpreted in such cases. The decision established that, while infringement of the GDPR was not itself sufficient grounds for compensation, there was no minimal threshold for what constitutes non-material damages.
While this did not mean, according to Judge O’Connor, that “mere upset” would be sufficient for non-material damage to have occurred, it did mean that there is no threshold of seriousness that needed to be met.
Outcome of the claim
Judge O’Connor ultimately determined that, because Kaminski was clearly identifiable from the CCTV footage, a breach of GDPR had occurred. While Ballymaguire Foods did have data protection policies in place, these were insufficiently clear – there were multiple, overlapping policies, none of which were available in Kaminski’s first language.
It was also considered that, though Kaminski did not have a medical report to confirm he had suffered mental distress as a result of the incident, he had proven himself to be a reliable witness. Further, his position as a supervisor was seen to exacerbate the situation and contribute to the embarrassment and upset he experienced.
As a result, Kaminski was ultimately awarded 2,000 Euros in compensation – equivalent to approximately £1700.
HNK Solicitors can support your data breach claim
The outcome of this case provides an important lesson for anyone who has been negatively impacted as part of a GDPR breach. It makes clear that, while a data breach alone does not entitle you to compensation, it is not the case that you must have experienced severe or long-lasting damage. In fact, mental distress, anxiety or other related issues can be sufficient, even if they only lasted a short period.
If you have experienced negative consequences as a result of a data breach, this should give pause for thought. Making a compensation claim can be an important way to move past the incident, and can support you in recovering from any damage caused.
If you’d like to discuss your case with an experienced data breach solicitor, HNK Solicitors are here to help. We’ve supported a wide range of clients to secure compensation following a data breach – visit our case studies page to see some of our success stories. With a thorough knowledge of the relevant regulations and recent case law, we can give you the best possible chance of getting the compensation you deserve.
Call us on 0151 668 0809, or email us at firstname.lastname@example.org to arrange a free consultation.