On a daily basis, we all share our personal data with banks, businesses, state and local government institutions, telecommunications service providers, social networking sites and other service providers. We also share our personal information in communication with colleagues, friends and family using SMS, chat groups.
Any information that can identify us as one particular person is personal data, first and last name, phone number together with other personal information, electronic mail address, photo and even the password with which we authorize on a social networking site is personal data information.
Considering the large amount of data that we transfer on a daily basis, and that organizations process in their daily work to provide us with various goods and services, we have prepared an explanation of what to do in the event of a data protection breach (unauthorized access, personal data is lost or otherwise affected) and you have been harmed.
If a data protection violation or incident has occurred as a result of the organization’s data processing, the person whose data is processed and who has suffered material or non-material damage as a result has the right to defend his interests and receive compensation from the controller (the organization that determines the purpose of data processing) or the processor (the organization that processes the data on behalf of the controller), which performed the processing of the personal data.
The General Data Protection Regulation sets out individual rights that can be exercised when a clear confirmation of a data protection breach has occurred. If the organization has not provided sufficient technical and organizational means, and as a result a data processing incident has occurred, or the organization has committed a data protection violation in bad faith or out of ignorance, it must bear responsibility for this event, unless it happened for reasons beyond the organization’s control.
Such a case may be when hackers have hacked the organization’s customer database, even though it was correctly and securely maintained, so the organization is not to blame for such an event and in the specific case, the hacker’s actions would be subject to liability, which is determined by the Criminal Law and not by the General Data Protection Regulation . If the organization is able to prove that it is not to blame for the data processing violation and has done everything to ensure that the data obtained as a result of the data processing is stored in a secure manner, then it is not obliged to pay compensation.
Actions of a person, if illegal data processing has caused him material or non-material damages:
1. If your data has been lost as a result of a breach, or has fallen into the hands of fraudsters and thus provable losses have occurred – some kind of suffering or financial losses, you have the right to request compensation from the organization that processed them. When you submit such a claim to an organization, you must specify exactly what kind of loss or risk you have been caused by such data processing violation and how you want the organization to compensate it. The person has the right to receive full and adequate compensation for the damages caused.
2. You can also submit your concern that data processing has taken place illegally and a request for solutions to such a situation to the national supervisory authority. However, it should be taken into account that the national supervisory authority will not provide an explanation of how much material compensation you can request from the organization, nor will the national supervisory authority approach the organization with an order to pay you compensation, or how to go to court (a request for compensation to an organization is a civil dispute), so will only explain the practical way to exercise such rights. A request or demand to issue compensation for a data protection violation cannot be submitted to the national supervisory authority either. You can get an opinion from the national security authority whether the incident is really a violation.
3. In the event that the organization responsible for the specific data processing does not agree to your request to pay compensation, you have the right to appeal such organization’s action to a court of general jurisdiction.
A person should always take into account that when exercising their rights, applying to the organization, the national supervisory authority or the court, the request must be clearly justified, clearly stating the nature of the situation and your special case, and all evidence indicating both a data protection violation and confirmation that this data processing was not really carried out in accordance with the conditions of the General Data Protection Regulation, but also why this violation directly affected your rights.
Remember, if in the event of a data protection violation information with your personal data has been disclosed, such as the number of a personal identification document, bank card access data (including access to Internet banking), then we recommend contacting the responsible authorities with a request to block the personal identification document, bank card and other access, to avoid becoming a victim of fraudulent activities. Similar to documents containing personal data, you should also be careful about your digital footprints, such as your email address and password, created accounts in social networks, etc.