Can compensation be claimed as a result of disclosing natural persons' email addresses when a data controller sends bulk correspondence without using BCC?

ANSWER

Sending bulk correspondence without using BCC by a data controller constitutes a personal data breach, as defined in Article 4(12) GDPR (unauthorised disclosure of personal data). Disclosing an email address alone, without linking it to other personal data — such as a home address, PESEL number, identity document number or detailed loan information — will not create a high risk for the data subject that someone could misuse the email address unlawfully.

Nevertheless, it should again be stressed that this is a breach, and an apology communicated by the controller (and similar measures) is entirely appropriate and desirable. Under Article 82(1) GDPR, any natural person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller for the damage suffered. Compensation is possible, but the data subject must demonstrate that they suffered damage in connection with the breach. Therefore, if as a result of the situation described the data subject suffered material or non-material damage, they may submit a claim for compensation to the controller.