Child and Family Agency Ireland – Court Ruling (Ireland, 2023)

The data subject took a civil claim against the controller, here the Child and Family Agency, for unlawfully disclosing her data. The controller had been in possession of sensitive data relating to childhood abuse suffered by the data subject. The controller accepted that it had caused a data breach, which resulted in the data subject’s now deceased brother having access to the information. The brother had been the subject of the report of abuse made by the data subject to the controller. After the report had been disclosed to her brother, her other siblings and family members also found out about the incident. The data subject reported that this caused her extreme distress and resulted in a lack of trust in the controller and further mental health problems. The court found that the data subject’s relationship with her family members had been damaged due to the data breach. The court reiterated that a breach of the GDPR does not automatically warrant damages. The court highlighted that in this case, the data subject had been retraumatised through the actions of the controller. The court classified the data breach as serious in nature and awarded the data subject with damages in the sum of €7,500. In setting this number, the court highlighted the controller’s role in handling sensitive data and the high level trust required.