Right to compensation for GDPR violation (Art. 82)

GDPR Art. 82 grants you the right to compensation for any damage suffered from a GDPR breach — by the controller and/or processor. What is "damage"? Two types: (1) Material damage — direct financial loss. E.g. identity fraud after a data breach (recovery costs), missed job after a wrongly shared medical file. (2) Non-material damage — no financial loss but still harm: stress, anxiety, loss of control, privacy intrusion. CJEU 2023-2024 clarifications: No threshold — even small harm qualifies (UI v. Österreichische Post, C-300/21). But: there must be demonstrable harm; "GDPR was breached" without consequence is not enough. However the burden of proof for harm is low — a feeling of loss of control or concern can already suffice (Scalable Capital C-687/21). How much? No fixed tariffs. Dutch case law shows: €250-€1,500 for moderate distress, €1,500-€5,000 for identity-fraud risk, €5,000+ for published sensitive data or long-term harm. How to claim? Step 1: formal demand letter with explicit damages claim + substantiation. Step 2: no response in 30 days → civil court (small-claims court up to €25,000, otherwise district court). Step 3: parallel AP complaint for additional fining pressure. Limitation: 5 years from discovery (Dutch Civil Code 3:310(1)). Important: the business can exculpate itself by proving it is in no way responsible for the harm-causing event. High burden on the business.