Nyheder
Viden
Arrangementer
Arbejdsret
M&A
Konfliktløsning
Om os
Mennesker
Karriere
U
Nyheder
Viden
Arrangementer
Arbejdsret
M&A
Konfliktløsning
Om os
Mennesker
Karriere
Søg
Om os
Karriere
Kontakt
Viden
Nyheder
Arrangementer
Rss
Specialer
Arbejdsret
M&A
Konfliktløsning
Sitemap
NV_Logo_Gold
Menu
U

Nyheder

Viden

Arrangementer

Arbejdsrethidden

M&Ahidden

Konfliktløsninghidden

Om os

Mennesker

Karriere

Supreme Court ruling: No financial compensation for citizens following personal data breach

af , | 15. 01. 2026 | Data protection

Nyheder

15.01.2026

LinkedInPrint

Skrevet af

Supreme Court ruling: No financial compensation for citizens following personal data breach

For the first time, the Supreme Court has ruled on the issue of whether citizens are entitled to financial compensation under the General Data Protection Regulation as a result of a personal data breach.

Skrevet af

Elsebeth Aaes-Jørgensen

Selma Carøe

Forfattere

According to Article 82 of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the Regulation is entitled to receive compensation from the controller or processor. Recently, the Supreme Court ruled for the first time on the issue of whether data subjects are entitled to compensation or damages under Article 82.

In 2018, a municipality carried out a check of calculations of inter-municipal reimbursements and, in that connection, made a spreadsheet with information on approx. 20,000 citizens. The spreadsheet contained, among other things, names, CPR numbers, addresses, municipalities of residence and information about social security benefits. The spreadsheet was stored on a laptop that was stolen. The computer was not encrypted.

Four of the affected citizens brought a case against the municipality and claimed compensation under Article 82 of the GDPR. During the trial, the four citizens explained that the personal data breach had caused fear and other negative feelings.

The district court – and subsequently the Eastern High Court – found that the municipality had breached the GDPR but dismissed the citizens’ claim for compensation.

Lack of evidence of negative feelings
The Supreme Court stated that there was no information to suggest that the spreadsheet had come to the knowledge of third persons or that the information in the spreadsheet had been misused.

The Supreme Court found that the fear and other negative feelings described by the four citizens could not be considered well-founded in light of the nature of the spreadsheet and the circumstances surrounding the theft of the computer. In this connection, the Supreme Court emphasised that, apart from the four citizens’ own statements, no evidence had been presented to support that the citizens had suffered damage in the form of negative feelings and negative consequences, or evidence of a causal link between the municipality’s processing of their personal data and the personal data breach and the alleged negative feelings and consequences.

The Supreme Court therefore found that the four citizens had not established that they had suffered damage under Article 82 of the GDPR as a result of the municipality’s processing of their personal data in the spreadsheet or the personal data breach caused by the theft of the computer. On that basis, the Supreme Court ruled in favour of the municipality.

Norrbom Vinding notes:

The Supreme Court’s ruling illustrates that in cases concerning compensation or damages under Article 82 of the GDPR, it is the data subject who must document both that the data subject has suffered damage and that there is a causal link between a breach of the GDPR and the damage. This is in line with the judgments of the Court of Justice of the European Union on Article 82. 

The content of the above is not, and should not be a substitute for legal advice.

Forfattere