Ireland | Eversheds Sutherland | Recent Key Rulings on Data Protection Claims for Non-Material Damage


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview Antitrust and Competition Litigation Dawn Raids Foreign Investment and National Security Law International Sanctions and Export Controls International Trade Law Merger Control Procurement and State Aid Construction and Engineering Construction and Engineering overview Construction Disputes Contracts and Procurement EPC Project Advisory Corporate and M&A Corporate and M&A overview Business Development Companies Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Small Business Investment Companies (SBICs) Venture Capital Corporate Crime Corporate Crime overview Anti-Bribery and Corruption Anti-Money Laundering International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Congressional Investigations Cybersecurity Data Privacy Disruptive Technology Electronic and Mobile Commerce Information Law Product Counseling Regulatory Defense and Litigation Technology Transactions and Sourcing Telecom Services Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Cross-Border Employment and Pensions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Global Mobility and Immigration Labor and Industrial Relations Pensions and Retirement Plans Pensions Risk Transfer and Management Environment and Natural Resources Financial Services Regulation Financial Services Regulation overview Asset Management Business Development Companies Crypto Assets Derivatives Financial Services Disputes and Investigations Funds Small Business Investment Companies (SBICs) Insurance Insurance overview Captives Insurance and Reinsurance Disputes Insurance and Retirement Products, Insurance Distribution Insurance Financing and Capital Markets Insurance M&A, Reinsurance and Restructuring Insurance Regulation and Compliance Insurance Regulatory Investigations and Enforcement Insurance Taxation Insurtech Pensions Risk Transfer and Management Intellectual Property Intellectual Property overview IP Audits and Assessments IP Litigation IP Transactional Patents Trademarks, Trade Dress and Copyrights Trade Secrets Investigations Investigations overview Antitrust and Competition Investigations Congressional Investigations Employment Investigations Internal Investigations National Security Investigations Konexo Konexo overview Legal Services Interim Resourcing Data and Cyber Consulting Legal Team Consulting Litigation and Dispute Resolution Litigation and Dispute Resolution overview Antitrust and Competition Investigations Appellate Class Actions Commercial Litigation Construction Disputes Energy Disputes Environmental, Health and Safety Financial Services Disputes and Investigations Fraud Insurance and Reinsurance Disputes International Arbitration Procurement Disputes Professional Liability Real Estate Disputes Regulatory Investigations and Enforcement Securities Enforcement and Litigation Tax Controversy and Litigation Unclaimed Property Real Estate and Planning Real Estate and Planning overview Commercial Development and Leasing Corporate Real Estate Investment Management and Fund Formation Planning and Environmental Real Estate Disputes Real Estate Finance Living Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Tax overview Acquisitions and Restructuring Business Taxation Employee Benefits and Executive Compensation Federal Tax Real Estate Tax Taxation of Financial Transactions and Institutions Tax Controversy and Litigation Transfer Pricing US State and Local Tax VAT/Indirect Taxes Industries Agribusiness, Forestry and Climate Solutions Consumer Consumer overview Food and Beverage Hospitality Luxury Retail and Wholesale Education Energy Energy overview Clean Energy Electric Cooperatives Energy and Commodities Trading Energy Regulatory Hydrogen Nuclear Oil and Gas Power State Energy Regulatory Group Financial Services Financial Services overview Corporate and Investment Banking Payments and Fintech Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Governments and Infrastructure overview Governments and Strategic Projects Infrastructure Public-private Partnerships Transportation Industrials Industrials overview Aerospace, Defense and Security Automotive Chemicals Manufacturing and Industrial Engineering Life Sciences and Healthcare Life Sciences and Healthcare overview Agriculture and Medicinal Cannabis and CBD Healthcare Industrial Biotechnology Medical Devices Pharmaceuticals and Biotechnology Research and Development Vaccines Real Estate Real Estate overview Alternative Assets Multi and Single Family Residential Office and Industrial Real Estate Investment Retail and Mixed Use Sports Sports overview College Athletics Technology & Digital Technology & Digital overview Digital Content Digital Infrastructure Technology Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity, equity and inclusion Environment Pro bono Reports Alumni News Mason Howell Sponsorship Careers US careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Summer Program LLM Extern Program New attorneys Professional Development Offices United States Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Ireland \| Eversheds Sutherland \| Recent Key Rulings on Data Protection Claims for Non-Material Damage Home Resources Insights Home Resources Insights Recent key rulings on data protection claims for non-material damage Recent key rulings on data protection claims for non-material damage What can be claimed for? How much? Pitfalls? September 12, 2024 Ireland Ireland Ireland An overview of CJEU and Irish court decisions to date in 2024 Article 82 of the General Data Protection Regulation (“GDPR”) establishes the right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Under the GDPR, non-material damage refers to harm that does not involve financial loss and might include distress, anxiety, loss of control over personal data, or damage to reputation. There have been several significant cases heard by the Court of Justice of the European Union (“CJEU”) and the Irish courts relating to non-material damage. These recent rulings add clarity to the conditions under which claims for compensation for non-material damage can be pursued and highlight the need for robust data protection measures. The key takeaways from these recent rulings are summarised below: Data controllers/processors cannot avoid liability by relying on the negligence or failure of a person acting under their authority. ‘Identity theft’ implies that the identity of a person affected by a theft of personal data has actually been misused by a third party; if there is no proof of this misuse, it is simply data theft. Fear associated with the unauthorized disclosure of a person’s personal data to a third party can give rise to a right to compensation for non-material damage, but the fear must be proven. For now, a claimant must secure prior authorization from the Injuries Resolution Board before bringing Court proceedings seeking damages for stress or anxiety. Prior authorization will therefore be required before most (if not all) data protection claims issue. Damages awarded by the Irish Courts in data protection claims over the last number of years have ranged between €500-€5,500 (albeit there have only been three reported cases to date). Recent CJEU preliminary rulings The following recent CJEU decisions have addressed the conditions under which data subjects can claim compensation for non-material damage, confirming the necessity for data subjects to demonstrate actual harm and the potential for compensation based on the fear of data misuse. Many of the cases reiterated the foundational principles laid down in the UI v Österreichische Post AG¹ ruling from May 2023, which held that a breach of the GDPR does not automatically entitle someone to compensation. Damage or non-material damage must also have been actually suffered and a causal link between the infringement and the damage must be established. The CJEU further held that there is no minimum threshold for the seriousness of the damage suffered for a claim for compensation for non-material damage to exist. In the GP v Juris GmbH² ruling from April 2024, the claimant sought compensation for non-material damage. The CJEU made it clear that data controllers/processors cannot avoid liability by relying on the negligence or failure on the part of a person acting under their authority. The exemption provided for in Article 82(3) of the GDPR only applies where it can be proven that there is no causal link between the data breach and the damage suffered by the data subject. The Court ruled, as in previous cases, that the right to compensation is not punitive and that damages should be calculated accordingly. In the SO v Scalable Capital GmbH and JU v Scalable Capital GmbH³ ruling from June 2024, the claimants sought compensation for non-material damage after their personal data was stolen from Scalable Capital GmbH’s trading app. The CJEU clarified that ‘identity theft’ – to be classified as such and to give rise to a right to compensation for non-material damage – implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage cannot be limited to cases where it is demonstrated that the data theft then gave rise to identity theft or fraud; compensation may still be claimed for theft of personal data. Also in June 2024, in the case of AT, BT v PS GbR, VG, MB, DH, WB, GS⁴ the claimants sought compensation for the fear they suffered after their tax returns were mistakenly sent to the wrong address. The CJEU held that provided the fear and its negative consequences are proven, a person’s fear that their personal data has been disclosed to a third party can give rise to a right to compensation. The CJEU again reiterated that an infringement of GDPR alone is not enough for compensation – the affected individuals must show they suffered actual damage. Recent Irish decisions In Keane v Central Statistics Office⁵, Ms Keane claimed damages for severe stress and anxiety caused by the erroneous disclosure of her personal data. The High Court found that claims for stress and anxiety must be assessed by the Personal Injuries Assessment Board (“PIAB”), now the Injuries Resolution Board, before Court proceedings issue. The claim was not properly constituted due to the lack of PIAB authorisation; accordingly, that part of Ms Keane’s claim was struck out. Similarly, in Dillon v Life Assurance plc⁶, Mr Dillon sought non-material damages for distress, upset, and anxiety resulting from an alleged data breach where letters containing his personal data were sent to an unauthorised third party. The High Court reiterated the requirement that such claims must have prior authorisation from PIAB, even when such claims are for non-material damages, unlike Keane above. The High Court also emphasised that claims for distress and anxiety must meet the criteria for personal injury under the Personal Injuries Guidelines, which limit recovery to cases of recognisable psychiatric illness or injury. This decision, that claims for non-material damages require Injuries Resolution Board authorisation, is under Supreme Court appeal. In Nolan & Ors v Dildar & Ors⁷, the Plaintiffs alleged that a pension provider had provided their personal data (including PPSNs and names) to another company without their consent. The Court addressed the scope of data controllers’/processors’ liability under the Data Protection Acts 1988 and 2003 only, however, nominal damages were awarded in the sum of €500 per Plaintiff indicating the potential quantum for data protection infringements under the GDPR. In McCabe v AA Ireland Ltd⁸ , in July 2024 the Irish Circuit Court delivered its second reported judgment awarding damages in a data protection claim under the Data Protection Act 2018 (as amended) (“2018 Act”). In that case, the Plaintiff, while on sick leave, was video recorded by a manager of the Defendant company assisting his mother-in-law cut overhanging branches from a tree. The Plaintiff reacted angrily to being recorded. The following day he was suspended from work and ultimately, he was summarily dismissed by the Defendant company. The Plaintiff claimed that the Defendant had unlawfully processed his personal data by recording him without his knowledge and consent, ultimately leading to damage in the form of loss of employment and non-material damage in the form of significant distress, stress and anxiety as a result of the loss of control of his personal data. The Defendant’s chief defense was that the recording was not taken on its instruction nor utilized in the disciplinary process following the incident. The Circuit Court had regard to decision of the CJEU in GP v Juris GmbH – which held that data controllers/processors cannot avoid liability by relying on the negligence or failure on the part of a person acting under their authority – in finding that “the video in this instance was created by the plaintiff’s manager and while the video was not directly relied on for the purpose of the subsequent dismissal of the plaintiff, there is clearly a causal link between the actions of [the manager] in this regard and the ultimate dismissal of the plaintiff from his position of employment.” The Court awarded €5,500 for both material and non-material damage. Commentary The recent CJEU rulings and decisions of the Irish Courts collectively underscore the evolving landscape of claims for compensation for non-material damage under the GDPR and 2018 Act. A comprehensive High Court judgment on non-material damage is still awaited to provide a precedent from the Superior Courts that must be followed, however, given that the quantum of damages awarded in such claims thus far is well within the District Court’s monetary jurisdiction (up to €15,000), it may still be some time before such a judgment is delivered. As of 11 January 2024, the District Court has jurisdiction to hear data protection claims, by virtue of section 77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023. Our Data Protection lawyers at Eversheds Sutherland are well versed in advising on these matters, ensuring that clients receive expert guidance tailored to their specific needs. With thanks to Melanie Ardiff and Dermot Gallagher for their contributions to this briefing. 1 Case C-300/21 2 Case C 741/21 3 Joined Cases C 182/22 and C 189/22 JU 4 Case C 590/22 5 [2024] IEHC 20 6 [2024] IEHC 203 7 [2024] IEHC 4 8 [2024] IECC 6 The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Data Privacy, Security and Technology Litigation and Dispute Resolution Industries Technology Key contacts Pamela O'Neill Managing Partner Dublin, Ireland Ciara Geraghty Of Counsel Dublin, Ireland Latest Insights legal updates Global Life Sciences & Healthcare Bulletin legal updates The IRS strikes back – Recent developments in Kwong and Abdo legal updates Georgia’s corporate governance reform: Key changes under HB 1185 legal updates Illinois tax increases part two: Digital asset privilege tax, prediction markets, NOL carryover limitations, and more Latest News client news A blueprint for growth: Eversheds Sutherland supports Leonard Design Group restructuring and MBO client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire Latest Events virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 Introduction to Swiss employment law virtual \| September 10, 2026 UAE - Employment law in the Dubai International Financial Centre Tabs Label legal updates June 03, 2026 Global Life Sciences & Healthcare Bulletin legal updates June 03, 2026 The IRS strikes back – Recent developments in Kwong and Abdo legal updates June 02, 2026 Georgia’s corporate governance reform: Key changes under HB 1185 legal updates June 02, 2026 Illinois tax increases part two: Digital asset privilege tax, prediction ma... Legal notices Terms & conditions Privacy notice Cookies Disclaimer LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Sitemap Offices © 2026 Eversheds Sutherland (US) LLP Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the member firms or their controlled, managed or affiliated entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For information on Konexo please also see the Legal Notices page of this website ATTORNEY ADVERTISING - Prior results do not guarantee a similar outcome. Unless otherwise indicated, attorneys at Eversheds Sutherland (US) LLP are not certified by the Texas Board of Legal Specialization.

An overview of CJEU and Irish court decisions to date in 2024

Article 82 of the General Data Protection Regulation (“GDPR”) establishes the right to compensation for any person who has suffered material or non-material damage as a result of an infringement of the GDPR. Under the GDPR, non-material damage refers to harm that does not involve financial loss and might include distress, anxiety, loss of control over personal data, or damage to reputation.

There have been several significant cases heard by the Court of Justice of the European Union (“CJEU”) and the Irish courts relating to non-material damage. These recent rulings add clarity to the conditions under which claims for compensation for non-material damage can be pursued and highlight the need for robust data protection measures. The key takeaways from these recent rulings are summarised below:

Data controllers/processors cannot avoid liability by relying on the negligence or failure of a person acting under their authority.
‘Identity theft’ implies that the identity of a person affected by a theft of personal data has actually been misused by a third party; if there is no proof of this misuse, it is simply data theft.
Fear associated with the unauthorized disclosure of a person’s personal data to a third party can give rise to a right to compensation for non-material damage, but the fear must be proven.
For now, a claimant must secure prior authorization from the Injuries Resolution Board before bringing Court proceedings seeking damages for stress or anxiety. Prior authorization will therefore be required before most (if not all) data protection claims issue.
Damages awarded by the Irish Courts in data protection claims over the last number of years have ranged between €500-€5,500 (albeit there have only been three reported cases to date).

Recent CJEU preliminary rulings

The following recent CJEU decisions have addressed the conditions under which data subjects can claim compensation for non-material damage, confirming the necessity for data subjects to demonstrate actual harm and the potential for compensation based on the fear of data misuse. Many of the cases reiterated the foundational principles laid down in the UI v Österreichische Post AG¹ ruling from May 2023, which held that a breach of the GDPR does not automatically entitle someone to compensation. Damage or non-material damage must also have been actually suffered and a causal link between the infringement and the damage must be established. The CJEU further held that there is no minimum threshold for the seriousness of the damage suffered for a claim for compensation for non-material damage to exist.

In the GP v Juris GmbH² ruling from April 2024, the claimant sought compensation for non-material damage. The CJEU made it clear that data controllers/processors cannot avoid liability by relying on the negligence or failure on the part of a person acting under their authority. The exemption provided for in Article 82(3) of the GDPR only applies where it can be proven that there is no causal link between the data breach and the damage suffered by the data subject. The Court ruled, as in previous cases, that the right to compensation is not punitive and that damages should be calculated accordingly.

In the SO v Scalable Capital GmbH and JU v Scalable Capital GmbH³ ruling from June 2024, the claimants sought compensation for non-material damage after their personal data was stolen from Scalable Capital GmbH’s trading app. The CJEU clarified that ‘identity theft’ – to be classified as such and to give rise to a right to compensation for non-material damage – implies that the identity of a person affected by a theft of personal data has actually been misused by a third party. However, compensation for non-material damage cannot be limited to cases where it is demonstrated that the data theft then gave rise to identity theft or fraud; compensation may still be claimed for theft of personal data.

Also in June 2024, in the case of AT, BT v PS GbR, VG, MB, DH, WB, GS⁴ the claimants sought compensation for the fear they suffered after their tax returns were mistakenly sent to the wrong address. The CJEU held that provided the fear and its negative consequences are proven, a person’s fear that their personal data has been disclosed to a third party can give rise to a right to compensation. The CJEU again reiterated that an infringement of GDPR alone is not enough for compensation – the affected individuals must show they suffered actual damage.

Recent Irish decisions

In Keane v Central Statistics Office⁵, Ms Keane claimed damages for severe stress and anxiety caused by the erroneous disclosure of her personal data. The High Court found that claims for stress and anxiety must be assessed by the Personal Injuries Assessment Board (“PIAB”), now the Injuries Resolution Board, before Court proceedings issue. The claim was not properly constituted due to the lack of PIAB authorisation; accordingly, that part of Ms Keane’s claim was struck out.

Similarly, in Dillon v Life Assurance plc⁶, Mr Dillon sought non-material damages for distress, upset, and anxiety resulting from an alleged data breach where letters containing his personal data were sent to an unauthorised third party. The High Court reiterated the requirement that such claims must have prior authorisation from PIAB, even when such claims are for non-material damages, unlike Keane above. The High Court also emphasised that claims for distress and anxiety must meet the criteria for personal injury under the Personal Injuries Guidelines, which limit recovery to cases of recognisable psychiatric illness or injury. This decision, that claims for non-material damages require Injuries Resolution Board authorisation, is under Supreme Court appeal.

In Nolan & Ors v Dildar & Ors⁷, the Plaintiffs alleged that a pension provider had provided their personal data (including PPSNs and names) to another company without their consent. The Court addressed the scope of data controllers’/processors’ liability under the Data Protection Acts 1988 and 2003 only, however, nominal damages were awarded in the sum of €500 per Plaintiff indicating the potential quantum for data protection infringements under the GDPR.

In McCabe v AA Ireland Ltd⁸ , in July 2024 the Irish Circuit Court delivered its second reported judgment awarding damages in a data protection claim under the Data Protection Act 2018 (as amended) (“2018 Act”). In that case, the Plaintiff, while on sick leave, was video recorded by a manager of the Defendant company assisting his mother-in-law cut overhanging branches from a tree. The Plaintiff reacted angrily to being recorded. The following day he was suspended from work and ultimately, he was summarily dismissed by the Defendant company. The Plaintiff claimed that the Defendant had unlawfully processed his personal data by recording him without his knowledge and consent, ultimately leading to damage in the form of loss of employment and non-material damage in the form of significant distress, stress and anxiety as a result of the loss of control of his personal data.

The Defendant’s chief defense was that the recording was not taken on its instruction nor utilized in the disciplinary process following the incident. The Circuit Court had regard to decision of the CJEU in GP v Juris GmbH – which held that data controllers/processors cannot avoid liability by relying on the negligence or failure on the part of a person acting under their authority – in finding that “the video in this instance was created by the plaintiff’s manager and while the video was not directly relied on for the purpose of the subsequent dismissal of the plaintiff, there is clearly a causal link between the actions of [the manager] in this regard and the ultimate dismissal of the plaintiff from his position of employment.” The Court awarded €5,500 for both material and non-material damage.

Commentary

The recent CJEU rulings and decisions of the Irish Courts collectively underscore the evolving landscape of claims for compensation for non-material damage under the GDPR and 2018 Act. A comprehensive High Court judgment on non-material damage is still awaited to provide a precedent from the Superior Courts that must be followed, however, given that the quantum of damages awarded in such claims thus far is well within the District Court’s monetary jurisdiction (up to €15,000), it may still be some time before such a judgment is delivered. As of 11 January 2024, the District Court has jurisdiction to hear data protection claims, by virtue of section 77 of the Courts and Civil Law (Miscellaneous Provisions) Act 2023.

Our Data Protection lawyers at Eversheds Sutherland are well versed in advising on these matters, ensuring that clients receive expert guidance tailored to their specific needs.

With thanks to Melanie Ardiff and Dermot Gallagher for their contributions to this briefing.

1 Case C-300/21
2 Case C 741/21
3 Joined Cases C 182/22 and C 189/22 JU
4 Case C 590/22
5 [2024] IEHC 20
6 [2024] IEHC 203
7 [2024] IEHC 4
8 [2024] IECC 6

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.