GDPR damages — when a violation owes you money (Art. 82)

Fines go to the state; Art. 82 pays you. Material loss and real distress both count, there is no minimum threshold — and after big breaches, collective actions do the heavy lifting.

Art. 82: anyone who suffers material or non-material damage from a GDPR infringement is entitled to compensation from the controller or processor. What the CJEU has settled (the Österreichische Post line and successors): no seriousness threshold — even modest distress qualifies; but you need actual damage, not the violation alone; and fear of misuse of leaked data can itself be compensable damage. The controller escapes only by proving it was “in no way responsible”. Realistic amounts: individual awards across member states mostly run from the low hundreds to low thousands of euros — identity-fraud aftermath and leaked sensitive data sit at the top, marketing annoyances at the bottom. Not retirement money; multiplied by a breach’s millions of victims, existential for the company — which is why collective actions under the EU Representative Actions Directive follow every major breach now. Joining one usually costs nothing; find them via consumer organisations in your country. Going solo: Art. 79 gives you court access directly — small-claims tracks fit minor cases; a DPA complaint running in parallel strengthens the file (a regulator’s finding of infringement is your best exhibit). Build the damage record from day one: time spent, costs incurred, distress documented — the winners are the ones with the folder.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Your rights✍️ Generate this letter — free📞 Your data protection authority