My data is in a breach — what are my rights?
Right to be informed on high risk (Art. 34), right of access (Art. 15), right to erasure (Art. 17), right to damages (Art. 82). Business must notify + take action.
On a data breach the business has four obligations toward you: (1) notify AP within 72h (Art. 33), (2) inform you on high risk (Art. 34), (3) facilitate your rights (Art. 15-22), (4) compensate damages (Art. 82). Your steps: check Have I Been Pwned to see if your email is in a known leak. Request access from the business to find out what exactly leaked. Change passwords + 2FA + monitor accounts. On financial damage immediately call bank. Damages claim Art. 82: since CJEU 2023-2024 (UI v Österreichische Post + Scalable Capital) even stress / loss of control / anxiety counts as damage. Amounts in Dutch case law: €250-€5,000 depending on data + impact. For medical data or BSN: higher range. Class action: on big breaches it's often easier to join a Consumentenbond action or foundation claim than litigate individually.
Step by step
Check Have I Been Pwned + change passwords
haveibeenpwned.com — released breaches database. Change password everywhere reused.
Access request at business
What exactly leaked + Art. 34 confirmation. Our access generator (€9.99) or the bundle GDPR rights pack (€29).
No notification despite high risk? AP complaint
Art. 34 violation = serious GDPR breach. AP complaint generator.
Damages claim Art. 82 or class action
Individual: civil court, typically €250-€5,000. Collective: Consumentenbond / foundation — usually no-cure-no-pay.
Ready to act?
We'll draft the right letter for you
Personalised PDF · Send-ready · One-off €9,99
- ⚡ PDF in your inbox in 60 seconds
- 📄 BTW-compliant invoice included
- ↩️ 30-day fix-it guarantee
Sources
🔎 Common search variants
Recognise your own search? Our answer above covers these too.
- “my data in breach rights”
- “data breach compensation netherlands”
- “data breach access request”