Can a data subject claim compensation from the controller if the controller discloses their data to an unauthorised person as a result of an order mix-up?

ANSWER

In the case described, a personal data breach occurred, as defined in Article 4(12) GDPR, i.e. unauthorised disclosure of personal data. In such a situation, the data subject first has the right to have the incident explained and to obtain information about measures taken by the data controller in connection with the breach. Furthermore, the data subject may lodge a complaint against the controller under Article 77(1) GDPR with the supervisory authority — the President of the Personal Data Protection Office (UODO) — or under Article 82(1) GDPR may claim compensation from the data controller in connection with the breach if they suffered material or non-material damage as a result. Under Article 82(1) GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.

If the solution proposed by the data controller does not satisfy the data subject, they have the right to bring an action before a regional court (as a rule — with jurisdiction at the defendant's seat) under Article 79(1) GDPR in conjunction with Article 93 of the Personal Data Protection Act.