Claims for damages under GDPR must go beyond ‘mere upset’, Kaminski guidelines upheld

/in /by

The Circuit Court recently reaffirmed the principle that ‘mere upset’ is not sufficient for a claim under the General Data Protection Regulations (“GDPR”) and the Data Protection Act 2018 (“the 2018 Act”) in Walsh v Irish Prison Service [2025] IECC 8 which is consistent with the previous Kaminski v Ballymaguire Food [2023] IECC 5 decision.

 

The facts of the case

This case concerned a Prison Officer, Mark Walsh, (“the Plaintiff”) who interviewed for a position as “Chief Officer 11 (Work and Training)” with the Irish Prison Service. The Plaintiff was placed at number 17 on the panel for the job and an Interview Scoring Sheet was attached to the covering letter advising him of this.

 

In error, these documents were emailed to a different Mark Walsh, who worked in a different prison on 27 November 2018. On 28 December 2018, the Mark Walsh, who had received the email, emailed the Plaintiff to let him know he had received the documents in error. The Plaintiff emailed the Assistant Governor of Castlerea Prison requesting an investigation and the Assistant Governor contacted the Data Protection Administrator.

 

On 21 January 2019, the Plaintiff emailed the Data Protection Administrator. The following day, the Data Protection Administrator for the Irish Prison Service sent an email apologising that the email was sent to the wrong Mark Walsh and confirming it would not happen again.

 

The issues to be determined

The Plaintiff issued proceedings against the Irish Prison Services in September 2019 seeking a declaration that the processing of the Plaintiff’s personal data by the Defendant was unlawful and seeking damages pursuant to section 117 of the 2018 Act and Article 82 of the GDPR.  The damages could be considered as “non-material damages” which refers to harm that is not financial and includes emotional distress, anxiety and damage to reputation. The three questions to be determined were:

  1. “Was the email sent to another prison officer with the same name a breach of the Plaintiffs personal data such as to constitute an unlawful processing under the 2018 Act and GDPR.
  2. If the answer is yes, did the damage go beyond mere upset or displeasure as a result of the infringement of the Plaintiffs personal data.
  3. If the answer is yes, what, if any, compensation is recoverable.”[1]

 

The Plaintiff gave evidence that he had applied for the position in secret, as he had previously been unsuccessful in the past. He stated his “… workplace is like a small village and he was subjected to oblique taunts by unnamed colleagues, he did not feel like going to work at times, and he suffered from disturbed sleep.”[2] It was put to the Plaintiff that there was no evidence that the disclosure of the data had any adverse consequence on the Plaintiff. He was not absent from work and went on to be successful in his application for the role 9 months later. The Irish Prison Service submitted that the height of his claim was that he experienced annoyance, embarrassment and upset.[3]

 

In her judgment, Justice Fergus relied upon Kaminski and the guidelines set out in that case regarding data protection law and damages for non-material loss, noting whilst they are not all relevant, they are helpful guidance for the Court:

  • “A mere breach or violation of GDPR is not sufficient to warrant an award of compensation.
  • There is no minimum threshold of seriousness required for a claim for non-material damage to exist but it does not cover ‘mere upset’.
  • There must be a link between the data infringement and the damages claimed.
  • The damage must be genuine and not speculative and must be proved.
  • An apology where appropriate may be considered in mitigation of damages.
  • Delay in dealing with the breach by either party is a relevant factor in assessing damages.” [4]

 

Reliance on Kaminski

In Kaminski, Justice O’Connor relied upon the decision of the CJEU in Case C‑300/21 UI v Österreichische Post AG which provides EU national courts with a mechanism for determining non-material loss under the GDPR. The CJEU ruled that:

  1. “The mere infringement of the provisions of the GDPR is not sufficient to confer a right to compensation.
  2. The GDPR precludes a national rule or practice which makes compensation for non-material damage subject to a certain degree of seriousness. A de minimis threshold cannot be imposed.
  3. The amount of damages under the right to compensation is to be determined by the national court applying the domestic rules of each Member State, provided that the principles of equivalence and effectiveness of EU law are complied with.“[5]

 

Even where non-material damage is proved, the guidelines in Kaminski suggest that the awards should be modest. The Court in Kaminski referred to the Judicial Council Person Injuries Guidelines 2021 in respect of the category of minor psychiatric damages as instructive guidance; noting in some cases non-material damages could be valued below €500.[6]  In Kaminski the Court accepted that the loss in the case for the plaintiff went beyond mere upset and created an emotional experience and negative emotions of insecurity which did affect that plaintiff for a short period of time.[7] Therefore the Court awarded €2,000 in damages.

 

The upper-end of the scale for more serious and damaging personal data breaches was awarded in M.H. v The Child and Family Agency [2023] IECC 11. This case related to extremely sensitive information about abuse the plaintiff suffered as a child, and the release of that information to her brother and other siblings. Here, the plaintiff was awarded €7,500 due to the severity of the situation:

“In assessing damages at this level, the Court is mindful of The Child and Family Agency’s role and the very high level of trust someone in the plaintiff’s position places in the Agency when making a report of abuse which occurred in childhood and following on from that, the necessity on the part of the Agency of handling such data with the utmost care and propriety.”[8]

 

Conclusion

Judge Fergus noted that the Plaintiff’s description of the impact of the breach was almost identical to the impact experienced by the plaintiff in Kaminski. However, in applying these factors, Judge Fergus stated she was not satisfied that the threshold beyond mere upset was reached and she ruled that there was no evidence that there was a causal link between the breach and the alleged harm caused. She ruled that the Defendant had taken steps to address the Plaintiffs concern in a reasonable timeframe and the apology issued was a fulsome one. The case was dismissed with no award of damages.

 

There are a number of key takeaways from this case, which companies and employers should take into account when faced with a breach of data protection legislation which may result in a case of non-material damage:

  • Delays should be avoided when dealing with data breaches.
  • Apologies and appropriate responses to complaints will be taken into account by the Courts.
  • Breach of GDPR does not guarantee compensation, even where a breach is admitted.
  • Only breaches of a serious nature will warrant an award for non-material damages.
  • Data policies should be clear and transparent.

[1] Walsh v Irish Prison Service [2025] IECC 8, para 4.

[2] Ibid, para 6.

[3] Ibid.

[4] Ibid, para 7.

[5] Case C‑300/21 UI v Österreichische Post AG, para 60.

[6] Kaminski v Ballymaguire Food [2023] IECC 5, para 11.6.

[7] ibid, para 12.8

[8] M.H. v The Child and Family Agency [2023] IECC. para 4.

 

Judith Curtin

Partner

jc@ofx.ie

 

Niamh Carey

Associate

nca@ofx.ie

 

Kathryn Buckley                                            Amy Horgan

Trainee Solicitor                                            Trainee Solicitor

kathryn.buckley@ofx.ie                               amy.horgan@ofx.ie