Data Breach - Farley and Others v Paymaster (1836) Ltd

Brighton Town Hall

Author Hassocks5489  Licence CCO 1.0  Source Wikimedia Commons

Jane Lambert

Court of Appeal (Lady Justice King, Lord Justice Warby and Lady Justice Whipple)  Farley and others v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 Aug 2025)

This was an appeal against the order of Mr Justice Nicklin in Farley and Others v Paymaster (1836) Ltd (Trading As Equiniti) [2024] EWHC 383 (KB) (23 Feb 2024), striking out most of the individual claims in a collective action arising from a data breach.  The appeal came before Lady Justice King, Lord Justice Warby and Lady Justice Whipple on 17 and 18 June 2025.  Counsels' arguments were filmed and can be viewed on YouTube at Farley (appellant) v Paymaster (1836) Limited (t/a Equiniti) (respondent) 17 June and Farley (appellant) v Paymaster (1836) Limited (t/a Equiniti) (respondent) 18 June. The Court of Appeal allowed the appeal on 22 Aug 2025 (Farley and Others v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 Aug 2025).  Permission to appeal to the Supreme Court was granted on 17 Dec 2025.  The appeal is listed for 7 and 8 Oct 2026.

Background

The claimants were members of a pension scheme for officers of the Sussex Police administered by the defendant. In August 2019, the defendant administrator sent an annual benefit statement to each member of the scheme. The statement contained an overview of the member's accrued benefits together with his or her name, date of birth, national insurance number and details of his or her salary and pension details. It would have been apparent to anybody reading the statement that the member was or had been a police officer.   The defendant sent some 750 of those statements to wrong addresses. The members affected alleged that this was a misuse of their personal information and an infringement of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
OJ L 119, 4.5.2016, pp. 1–88 ("the GDPR"). Those members complained that the infringement had led to injury to their feelings, and in some cases, psychiatric harm from fear of third-party misuse of their personal data. They sued the administrator for compensation for the damage that they had suffered under art 82 (1) of the GDPR.

The Defendant's Application

The defendant applied to strike out the claim for failing to disclose a cause of action, or alternatively summary judgment.  The application came on for hearing before Mr Justice Nickin on 27 and 28 Feb 2023.  The learned judge received written submissions on 18 and 19 May and 1 June 2023.   His lordship allowed the claims of 14 members to proceed as they could show that their statements had been read, but he struck out the remaining claims which numbered over 400.

The Appeal

The members whose claims had been struck out appealed on the ground that the judge had been wrong in law.   In particular, he had been wrong to regard disclosure of the benefit statement to a third party as an essential ingredient of a viable data protection claim. The appellants contended that posting the statement to the wrong address infringed their rights under the data protection legislation. The defendant argued that the compensation claims were factually incredible, insufficient or untenable as a matter of law, or so trivial that they should be dismissed as an abuse of process of the kind identified in Jameel v Dow Jones Inc [2005] EMLR 16, [2005] QB 946, [2005] 2 WLR 1614, [2005] EMLR 353, [2005] EWCA Civ 75.

The Issues

Lord Justice Warby, who delivered the lead judgment, summarized the main issues at para [5]:

"(1) have the appellants set out a reasonable basis for claiming that the respondent's mistake involved infringement of the GDPR ('the infringement issue'); if so, (2) have the appellants stated a basis for claiming compensation under the GDPR and DPA that is reasonable, with a realistic prospect of success at a trial ('the compensation issue'); and if so (3) are the claims nonetheless an abuse of process of the Jameel variety ('the Jameel issue')?"

The Data Protection Legislation

The learned Lord Justice condensed the data protection legislation in para [28] of his judgment:

"The GDPR is EU legislation with direct effect in all EU member states. It enacts a number of data protection rights and obligations and contains provision for their enforcement. Article 5 identifies six 'principles relating to processing of personal data' with which data controllers must comply. Articles 24, 25 and 32 require data controllers to 'implement appropriate technical and organisational measures' to ensure GDPR compliance. Article 82 confers a right to receive compensation for material or non-material damage suffered as a result of an infringement. The GDPR applied with effect from May 2018. By Part 2 of the [Data Protection Act 2018], Parliament enacted provisions supplemental to the GDPR. Those provisions also came into force in May 2018."

He explained at [29] that these are the legislative instruments that apply to the events with which the Court was concerned because the European Union (Withdrawal) Act 2018 provided for the GDPR to remain part of English law until 23:00 on 31 Dec 2020.

Interpretating the GDPR

Lord Justice Warby added at [30] that English courts are bound by principles laid down by the Court of Justice of the European Union ("CJEU") and decisions made by it before 31 Dec 2020 as these are "assimilated EU case law" but not by any principles laid down, or any decisions made, by the CJEU after that date.  English courts "may have regard" to such principles or decisions "so far as it is relevant to any matter before the court". In deciding how to approach the latter class of CJEU decisions, English courts are bound by the law of precedent.

Infringement Issue

His lordship said that the first question to be considered in determining whether the administrator's mistake amounted to an infringement of the GDPR was whether the claimants had set out a reasonable basis for alleging that the defendant had engaged in "processing" their "personal data" within the meaning of the regulation and of the Act.    

He considered the definitions of "personal data" in art 4 (1) of the regulation and s.3 (2) of the Act and described them as "language of extremely broad reach." He added that there had never been any dispute that the information at issue here fell within that language and concluded that clearly it did.  

He turned his attention to the definition of "processing" in art 4 (2) of the regulation and s.3 (4) of the Act. Their definitions, which were very similar, defined "processing" as "any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means" with such illustrative examples as "collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."  He recalled the CJEU's discussion of art 4 (2) in para [35] of its judgment in Case  C-175/20 “SS” SIA v Valsts ieneumu dienests, EU: C:2022:124, ECLI: EU:C:2022:124, [2022] EUECJ C-175/20:

"It is apparent from the wording of that provision, in particular from the expression 'any operation', that the EU legislature intended to give the concept of 'processing' a broad scope. That interpretation is corroborated by the non-exhaustive nature, expressed by the phrase 'such as', of the operations mentioned in that provision."

Lord Justice Warby noted at [36] that it was common ground that the defendant's operations amounted to "processing."

The learned Lord Justice observed that the defendant might have argued that printing out the statements, stuffing them into envelopes and posting them were manual operations after the processing had been completed, but it did not do so. It actually admitted that those steps did constitute processing.   On the basis of that admission, his lordship ruled that there was no basis for striking out those aspects of the claims.

Compensation Issue

Art 82 GDPR provides:

"(1) Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller ... for the damage suffered."
(2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation ..."

Before 31 Dec 2020, s.168 (1) of the Data Protection Act 2018 amplified art 82 (1) of the GDPR (right to compensation for material or non-material damage), by adding that 'non-material damage' included distress.

The claimants had pleaded that each of them experienced "anxiety, alarm, distress and embarrassment" at the prospect or possibility that their personal data may have come into the hands of third parties and been misused or exposed to the risk of misuse. That was expressly pleaded as "non-material damage". Secondly, 42 of them alleged that the infringements aggravated a pre-existing medical condition for which general damages were sought without particularizing such aggravation as material or non-material damage.   The administrator invited the Court of Appeal to dismiss those claims as incredible under CPR Part 24.  His lordship declined the invitation as it would have been a strong thing to reject statements of truth without hearing from the witnesses. He did not consider that the Court would be justified in taking that step.

The defendant's next point was that on the true construction of the GDPR and the Data Protection Act 2018, compensation was not recoverable for emotional responses other than distress. Lord Justice Warby rejected that submission. He said that the governing provision was art 82, which referred to "non-material damage" without limitation. S.168 (1) of the Act added that this term "included distress" but it was plain that that was an illustrative point. S.168 did not purport to define or limit the scope of the term "non-material damage" in art 82. Indeed, it seemed clear that Parliament's aim in enacting s.168 (1) was not to limit the ambit of the right to compensation but rather to confirm its breadth.

Despite such authorities as Case C‑300/2 UI v Österreichische Post AG [2023] WLR(D) 221, EU: C:2023:370, [2023] EUECJ C-300/21, ECLI:EU:C:2023:370, Case C‑340/21 VB v Natsionalna agentsia za prihodite EU: C:2023:986, ECLI:EU:C:2023:986, [2024] WLR(D) 17, [2023] EUECJ C-340/21, Case C-456/22 VX v Gemeinde Ummendorf EU: C:2023:988, ECLI:EU:C:2023:988, [2023] EUECJ C-456/22 and Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI:EU:C:2024:72, EU: C:2024:72, [2024] WLR(D) 53 to the contrary, the defendant administrator contended that there was a threshold of seriousness which the claimants had not cleared. It argued that the courts of the United Kingdom are no longer bound by decisions of the CJEU handed down after 23:00 on 31 Dec 2020, that they were bound by Lloyd v Google LLC  [2022] 2 All ER 209, [2022] HRLR 1, [2022] 1 All ER (Comm) 1107, [2022] AC 1217, [2021] 3 WLR 1268, [2022] EMLR 6, [2021] UKSC 50 and Prismall v Google UK Ltd [2024] EWCA Civ 1516, [2025] 2 WLR 1224 and that they should not follow the CJEU because its reasoning was flawed and that a threshold of seriousness would eliminate trivial claims and achieve coherence in the law.

Lord Justice Warby did not accept those arguments.  He reviewed the authorities on which the defendant relied and concluded that they did not support the contention that there was a threshold of seriousness for data protection claims in English law.  As for whether the English courts should take a different course from the CJEU, he accepted that it was an option for Parliament.  A judicial decision to do so would require compelling legal reasons.  He remarked at para [67] of his judgment:

"...... the GDPR is an international legal instrument which had direct effect in this jurisdiction at the material time. Further, its domestic successor, the UK GDPR, is post-Brexit legislation in which Parliament decided to adopt the identical language, so far as material to this case. Self-evidently, divergent interpretations of the same legislative text tend to undermine legal certainty. It seems to me that, other things being equal, it makes good legal sense for the court to interpret and apply the GDPR in conformity with settled CJEU jurisprudence."

He analysed the CJEU decisions mentioned above but could see no sufficiently weighty reason for departing on this appeal from the settled CJEU jurisprudence on the threshold of seriousness issue.

However, he said that it was clear from those cases that a claimant could recover compensation for fear of the consequences of an infringement, provided the alleged fear was objectively well-founded.

The Jameel Issue

The defendant relied on the Jameel principle in the strikeout application.   It was summarized by the Court of Appeal in para [175] of their judgment in Municipio de Mariana v BHP Group (UK) Ltd [2022] EWCA Civ 951, [2022] 1 WLR 4691, [2023] 1 All ER 611, [2022] WLR(D) 300, [2022] WLR 4691:

"[P]roceedings may ... be abusive if, even though they raise an arguable cause of action, they are (objectively) pointless and wasteful, in the sense that the benefits to the claimants from success [are] likely to be extremely modest and the costs to the defendants in defending the claims wholly disproportionate to that benefit" (citing Jameel (Yousef) v Dow Jones Co Inc [2005] EWCA Civ 75, [2005] QB 946)

The Supreme Court considered the principle further in Mueen-Uddin v Home Secretary  [2024] UKSC 21, [2024] EMLR 13, [2024] 3 WLR 244, CLW/24/23/1, [2024] 3 All ER 985, [2024] WLR(D) 283.

The administrator relied on the principle in its strikeout and summary judgment application, but Mr Justice Nicklin did not accept it.  It cross-appealed to the Court of Appeal with limited success.  Lord Justice Warby said at para [6 (3)] of his judgment:

"The Jameel jurisdiction does not provide a reason to bypass that process. These claims as a class cannot be categorised as Jameel abuse although the question of whether any individual case is abusive will remain for consideration."

The fact that a claim was small did not mean that it was abusive.  Lord Justice Warby quoted Lord Justice Lewison in Sullivan v Bristol Film Studios [2012] EWCA Civ 570, [2012] EMLR 27 at [29]:

"The mere fact that a claim is small should not automatically result in the court refusing to hear it at all. If I am entitled to recover a debt of £50 .... it would be an affront to justice if my claim were simply struck out."

The defendant had understandable concerns about costs and the difficulty of recovering them if it was successful, but that did not make the proceedings abusive.

The Supreme Court Appeal

The issue on which permission to appeal was granted is whether a threshold of seriousness applies to claims for damages under the GDPR and the Data Protection Act 2018.

Comment

This is an important decision on claims under art 82 (1) for compensation for material and non-material damage resulting from an infringement of the GDPR.  Should the Supreme Court allow Paymaster (1836) Ltd.'s appeal on thresholds of seriousness, its importance will be all the greater.  The Court of Appeal has ruled on what constitutes an infringement and whether concern over who may be reading confidential statement information of itself constitutes non-material damage.  The Court has also followed the CJEU's decisions on thresholds of seriousness and rejected the Jameel principle.  

Anyone wishing to discuss this case or this article may call me on +44 (0)20 7404 5252 during UK office hours or send me a message through my contact form at any time.

Art 82 (1) GDPR - GP v Juris GmbH

Landgericht Saarbrücken

Author Anna16 Licence CC BY-SA 3.0  Source Wikimedia Commons

 

Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, N. Piçarra and N. Jääskinen (Rapporteur), Judges), Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288

This was a request by the Landgericht Saarbrücken for a preliminary ruling on the interpretation of art 82 (1) and (3) of the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) OJ L 119, 4.5.2016, pp. 1–88) read in conjunction with arts 29 and 83 and the 85th and 146th recitals. The request was made in the course of proceedings that the claimant, GP, had brought against juris GmbH, the defendant, for compensation for damage arising from the defendant's unauthorised processing of his personal data.

The Dispute

The defendant published online legal information as well as newsletters.  One of its subscribers was the claimant, a lawyer in independent private practice.  He discovered that juris GmbH had used his personal data for direct marketing.  He withdrew his consent to the processing of his personal data and closed his email and telephone updating accounts, but continued to receive newsletters from the defendant company.   Even though he had withdrawn his consent, he continued to receive mailshots from juris, including some with a code that enabled him to access an online form containing his personal data, which had been created long after he had withdrawn his consent to the processing of his personal data.

The Action

GP launched an action against juris GmbH in the Landgericht Saarbrücken (the intermediate court of first instance for Saarbrücken) for compensation for material and non-material damage under art 82 (1) of the GDPR. His material damage consisted of the costs of instructing a bailiff and notary.  He alleged that his loss of control over his personal data resulting from the unauthorised processing constituted non-material damage.  Juris denied liability.  It stated that it had established a system for managing objections to direct marketing.  Its explanation for the stray mailshots was isolated slip-ups by its employees, and that the cost of preventing such slip-ups altogether was prohibitive. Mere breaches of obligation under the GDPR, such as non-compliance with objections under art 21 (3), cannot, by themselves, constitute ‘damage’ within the meaning of art 82 (1).

The Reference

The Landgericht Saarbrücken decided to stay the proceedings and refer the following questions to the Court of Justice of the European Union ("CJEU") for a preliminary ruling under art 267 of the Treaty on the Functioning of the European Union:

"(1) In the light of recital 85 and the third sentence of recital 146 of the GDPR, is the concept of ‘non-material damage’ in Article 82 (1) of the GDPR to be understood as covering any impairment of the protected legal position, irrespective of the other effects and materiality of that impairment?
(2) Is liability for compensation under Article 82 (3) of the GDPR excluded by the fact that the infringement is attributed to human error in the individual case on the part of a person acting under the authority of the processor or controller within the meaning of Article 29 of the GDPR?
(3) Is it permissible or necessary [to base] the assessment of compensation for non-material damage [on the] criteria for determining fines set out in Article 83 of the GDPR, in particular in Article 83 (2) and 83(5) of the GDPR?
(4) Must the compensation be determined for each individual infringement, or are several infringements - or at least several infringements of the same nature - penalised by means of an overall amount of compensation, which is not determined by adding up individual amounts but is based on an evaluative overall assessment?"

Judgment

The CJEU delivered its reply in Case 741/21 GP v juris GmbH  [2024] EUECJ C-741/21, ECLI:EU:C:2024:288, EU: C:2024:288 on 11 April 2024.

Legislation

The Court considered the 85th, 146th and 148th recitals of the GDPR and arts 4 (1), (7) and (12), 5, 21, 24 (1) and (2), art 25 (1), 29, 32 (1) (b), (2) and (4), 79, 82 (1), (2) and (3), 82 (2) (a), (b) and (k), (3) and (5) and 84 (1) of its provisions.

The First Question

Juris GmbH challenged the admissibility of the first question on the ground that the damage alleged by GP in the main proceedings, a loss of control over his personal data, did not occur.  It alleged that GP's data had been lawfully processed under his contract with the defendant company.  The CJEU rejected the challenge.  It was for the national court to determine the particular circumstances of the case, both the need for a preliminary ruling in order to enable it to deliver judgment in the proceedings before it and the relevance of the questions that it submits to the Court.  There was no reason in this case to doubt the question's relevance.

The Court reframed the Landgericht's first question as "whether Article 82 (1) of the GDPR must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is sufficient, in itself, to constitute ‘non-material damage’, within the meaning of that provision, irrespective of the degree of seriousness of the harm suffered by that person."  

Referring to para [58] of its judgment in  Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53 and the cases cited therein, the Court noted that it had already interpreted art 82 (1) as meaning that the mere infringement of that regulation is not sufficient to confer a right to compensation.  The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in art 82 (1).   So, too, does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.   Applying paras [60] and [61] of that judgment and the cases cited, a person seeking compensation for non-material damage under art 82 (1)  must establish not only the infringement of provisions of that regulation, but also that such infringement caused him or her such damage.

The Court added that it had interpreted art 82 (1) as precluding a national rule or practice which makes compensation for non-material damage subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness, while emphasising that that person is nevertheless required to demonstrate that the infringement of that regulation caused him or her such non-material damage (paras [59] and [60] of MediaMarktSaturn and the cases referred to in those paragraphs).

The answer to the first question was that art 82 (1) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.

The Second Question

The Landgericht asked whether art 82 (3) must be interpreted as meaning a controller can be exempted from liability under art 83 (1) by claiming that the damage in question was caused by the failure of a person acting under his authority within the meaning of art 29.   

The Court observed that it had already held in Case C‑667/21 ZQ v Medizinischer Dienst der Krankenversicherung Nordrhein, Körperschaft des öffentlichen Rechts ECLI:EU:C:2023:1022, EU: C:2023:1022, [2023] EUECJ C-667/21  from a combined analysis of art 82 (2) and (3) that that article provides for a fault-based regime, in which the controller is presumed to have participated in the processing constituting the breach of the GDPR in question, so that the burden of proof lies not with the person who has suffered damage but with the controller.

As an employee of the controller is a natural person acting under the authority of that controller, it is for that controller to ensure that his or her instructions are correctly applied by his or her employees. Accordingly, the controller cannot avoid liability under art 82 (3) simply by relying on negligence or failure on the part of a person acting under his or her authority.   If it were accepted that a controller could be exempted from liability merely by relying on the failure of a person acting under his or her authority, that would undermine the effectiveness of the right to compensation under art 82 (1).

The answer to the second question was that art 82 must be interpreted as meaning that it is not sufficient for the controller to claim that the damage in question was caused by the failure of a person acting under his or her authority within the meaning of art 29 to be exempted from liability under art 82 (3).

The Third and Fourth Questions

The CJEU took the referring court's third and fourth questions together.  That court had asked whether art 82 must be interpreted as meaning that it is necessary to:

• apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83 GDPR, and/or 
• take account of the fact that several infringements of the GDPE concerning the same processing operation affect the person seeking compensation

 In determining the amount of damages due as compensation for damage under that article.

The CJEU began by pointing out that arts 82 and 83 serve different functions. Art 82 governs the right to compensation and liability while art 83 determines the ‘general conditions for imposing administrative fines.    It follows that the criteria set out in art 83 for determining the amount of administrative fines cannot be used to assess the amount of compensation under art 82.

The GDPR does not contain any provision relating to the assessment of the damages due under art 82.  For the purposes of that assessment, the national courts must apply the domestic rules of each Member State relating to the extent of monetary compensation, provided that the principles of equivalence and effectiveness of EU law are complied with (see paras [83] and [101] of Krankenversicherung Nordrhein and the cases referred to and para [53] of MediaMarktSaturn).   The Court has emphasized that art 82 has a compensatory function and not punitive. The right to compensation does not fulfil a deterrent, or even punitive, function. It follows that the amount cannot exceed the full compensation for that damage (para [86] of Krankenversicherung Nordrhein).

As to the way in which national courts must assess the amount of monetary compensation under art 82 of in the case of multiple infringements affecting the same data subject, it should, first of all, be pointed out that it is for each Member State to establish the criteria for determining the amount of that compensation, subject to compliance with the principles of effectiveness and equivalence of EU law.  Next, in view of the compensatory rather than punitive function of art 82, the fact that several infringements have been committed by the controller in relation to the same data subject cannot constitute a relevant criterion for the purposes of assessing the compensation to be awarded to that data subject under art 82. Only the damage actually suffered by the data subject must be taken into consideration to determine the amount of money due by way of compensation.

The answer to the third and fourth questions is that art 82 (1) of the GDPR must be interpreted as meaning that it is not necessary to:

• apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83; and/or 
• take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation

to determine the amount of money due as compensation for damage based on that article.

Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be interpreted as meaning that an infringement of provisions of that regulation which confer rights on the data subject is not sufficient, in itself, to constitute ‘non-material damage’ within the meaning of that provision, irrespective of the degree of seriousness of the damage suffered by that person.
2. Article 82 of Regulation 2016/679 must be interpreted as meaning that it is not sufficient for the controller, in order to be exempted from liability under paragraph 3 of that article, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Article 29 of that regulation.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to take account of the fact that several infringements of that regulation concerning the same processing operation affect the person seeking compensation."

Comment

This is another important authority on the assessment of compensation for the infringement of the GDPR under art 82 (1).  In this decision, the CJEU made clear that the rules for assessing fines under art 83  are not to be taken into account for determining compensation under art 82 (1).  The regulation sets no criteria for such assessment other than that the function art 82 (1) is not punitive but compensatory.  It is a matter for the national courts subject to the principles of equivalence and effectiveness of EU law.

Another takeaway from the decision is that a controller cannot escape liability under art 82 (3) GDPR by showing that its employee had slipped up.   It is surprising that juris GmbH believed that the point was worth arguing.   As the Court observed, it would have undermined the right to compensation under art 82 (1) had juris GmbH succeeded.

Anyone wishing to discuss this article may call me on +44 (0)20 7404 5252 during normal UK office hours or send me a message through my contact form.

Entitlement to Compensation - East Dunbartonshire Council v Paton

Southbank Marina

Author G, Laird Licence CC BY-SA 2.0 Source Wikimedia Commons

 

Jane Lambert

Sheriff Appeal Court Civil (Appeal Sheriff O'Carroll) East Dunbartonshire Council v Paton [2026] SAC (Civ) 17 (4 March 2026)

This was an appeal by East Dumbartonshire Council against an award of compensation under art 82 (1) UK GDPR to the father of a child for damage incurred as a result of the council's delay in rectifying a risk assessment form.  The local authority did not dispute that it had caused damage by the delay for which it had to pay compensation.  Nor did it dispute the amount of compensation.  The only issue in the appeal was whether the compensation had been paid to the right person.

Background

The child had been a pupil at a school maintained by the appellant council where she suffered bullying. Her father complained to the head teacher, who prepared a draft form assessing the risk to the child's physical safety as "medium" and the risk to her emotional well-being as "high".  The school sent the draft to the child's father for his consideration.

The school introduced control measures which led it to reduce its assessment of the risk to the child's physical safety as "low" and her emotional well-being as "medium".  The girl's father accepted that the measures had reduced the risks to his daughter but expressed concern that the risk to her well-being remained "medium".  He sought further advice from the school on reducing the risk to his child's well-being which the school provided the same day.

Despite the control measures, further difficulties arose which prompted the father to complain to the school.   The school rejected most of his complaints, whereupon the father resorted to the Scottish Public Services Ombudsman.  The ombudsman requested a risk assessment from the council.   Instead of sending the draft that had been shown to the child's father, the authority prepared a modified form showing the risk to her emotional well-being as "low".

Claim for Rectification

After seeing the modified form, the father asked the local authority to amend the risk assessment to his daughter's well-being.  The council admitted that its risk assessment had been wrong but refused to modify it.   The father issued proceedings in the Sheriff's Court claiming rectification of the assessment form under art 16 GDPR and compensation for damage resulting from the council's delay in rectifying the form under art 82 (1).  The council admitted that the modified assessment form was incorrect and that it should be rectified, but contended that the data belonged to the child rather than her father and that, for that reason, the claim should fail. 

The Sheriff's Decision

The Sheriff found in favour of the father and awarded him compensation under art 82 (1).  He held that the information on the form was the father's personal data.  He found that it was incorrect and should be rectified. He also found that the father had sustained damage as a result of the council's delay in rectifying the record.   In reaching his decision, the Sheriff relied on the judgments of the Court of Justice of the European Union in Case C-434/16 Nowak v Data Protection Commissioner  [2017] EUECJ C-434/16, [2018] WLR 3505, [2018] 1 WLR 3505, EU: C:2017:994, [2018] 2 CMLR 21, ECLI:EU:C:2017:994, [2018] WLR(D) 8 and Mrs Justice Heather Williams in Ashley v Commissioners for His Majesty's Revenue and Customs [2025] EWHC 134 (KB).

The Appeal

The Council appealed to the Sheriff Appeal Court on the ground that the data relating to the child's risk assessment belonged to her and not her father and that he had not been entitled to seek rectification or compensation.  The appeal came on before Appeal Sheriff O'Carroll who delivered judgment in East Dumbartonshire Council v Paton [2026] SAC (Civ) 17 on 4 March 2026.  In para [23] of his judgment, the learned Appeal Sheriff dismissed the appeal.

Approach

In para [16], Appeal Sheriff O'Carroll and adopted considered the approach of the court below:

"What the case law and the two cases cited demonstrate in my view is that the correct approach to determining whether a right to access and associated rights exist, once the controller or processor of the data is identified, is firstly to identify the data to which access and rectification is sought. Then decide whether that data is personal data or not considering the statutory definition and wide interpretation of personal data adopted by the courts. Then, the task is to identify who is the subject of the data, that is to say the identified or identifiable person to whom the data relates. Then determine whether the data subject is entitled to rights of access or rectification or any other rights provided by the data protection legislation. Then, ascertain whether that that right has been asserted and exercised. Then, where the asserted right has been refused or blocked in some way, determine whether the data subject has a remedy and if so what and on what basis. Remedies include access, erasure, rectification, blocking and compensation, among others."

Whose Data? 

The learned Appeal Sheriff observed that the parties and first instance sheriff had narrowed the issue in dispute to a single question. Was the disputed data the personal data of the girl or her father?  In doing so, all concerned appeared to have assumed that the question was binary, that the data could be the personal data of only one or the other.

Not a Binary Question

The Appeal Sheriff explained why that was wrong:

"However, as frequently occurs in practice, any given piece of information may amount to personal data simultaneously of more than one person. See the useful discussion in Jay, Data Protection Law and Practice (5th Edition), at paragraphs 13-033 et seq. Information may inextricably form personal data of two or more persons. In the Novak case for example, the court noted that the personal data sought by Mr Novak was also the personal data of the examiner. In DB v General Medical Council [2019] 1 WLR 4044, , the independent expert report obtained by the GMC regarding the competence of a GP's treatment, sought by the patient who alleged negligent treatment, was simultaneously the personal data of the patient and the GP (and it might be said, though not argued, that of the author as well). Another example might be a joint bank account statement: that will comprise the personal data of each joint account holder. In this appeal, the Council itself states in its submission, correctly, that the disputed data was also that of the head teacher. The legislation itself makes specific provision for access rights in such cases of mixed personal data: see Articles 5 and 15 of GDPR and Schedule 2, Part 3, paragraph 16 to the 2018 Act. See also paragraph 17 of Part 3 for specific provision made in the case of education officials (such as risk assessor in this case) which removes the reasonableness test as regards the disclosure of that education official's personal data in certain circumstances."

He concluded that it cannot be said that if the information comprised the personal data of the child, it could not also be the personal data of her father.

It was obvious that the risk priority rating for emotional well-being was the girl's, but it was also her father's in the particular circumstances of the case.  The sheriff found after hearing evidence that the purpose of the data was not only to inform the council's employees’ decisions regarding the safety and well-being of the child, it was also to satisfy her father that those matters were being adequately dealt with by the council's officers.

Comment

The fact that the same data may relate to more than one data subject is often used as a reason for withholding data on a subject access request.   This decision makes clear that such excuses cannot be relied upon.  That does not mean that third-party rights can be overridden.  They have to be protected by redaction or otherwise.

Anyone wishing to discuss this article may call me on 020 7404 5252 during normal UK office hours ot send me a message through my contact form at any time. 

Construction of art 82 (1) GDPR: Case C‑590/22 AT and another v PS GbR and others

Wesel Court House

Author KingKurt  Licence CC BY-SA 4.0  Source Wikimedia Commons

 

Jane Lambert

Court of Justice of the European Union (K. Jürimäe, President of the Chamber, K. Lenaerts, President of the Court, N. Piçarra, N. Jääskinen (Rapporteur) and M. Gavalec, Judges) Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536

This was a request by the Wesel Amtsgericht for a preliminary ruling on the interpretation of art 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) (‘the GDPR’) pursuant to art 267 of the Treaty on the Functioning of the European Union.  The request was made in proceedings between AT and BT against PS Gesellschaft bürgerlichen Rechts ("PS GbR") and its members for compensation for the disclosure of their personal data to third parties without their consent as a result of an error by the firm.

The Proceedings

PS GbR was a tax consultancy, and AT and BT were two of its clients.  AT and BT instructed PS GbR to draw up their tax return.  The consultancy carried out their instructions but sent the return to AT and BT's previous address.  AT and BT recovered the envelope that had contained the tax return but found that it contained only a covering letter and a copy of the return.  The missing documents contained the names, dates of birth, tax identification numbers, religious denominations, bank details, professions, places of work and disability status of AT and BT, as well as their children's personal data.  AT and BT sued PS GbR and its members for €15,000 compensation in the Wesel Amtsgericht, the lowest civil court in the German legal system.

The Reference

The court decided that it could not decide the claim without referring the following questions to the Court of Justice of the European Union:

"(1) Is it sufficient for the establishment of a claim for compensation under Article 82 (1) of [the GDPR] that a provision of [that regulation] serving to protect the claimant has been infringed or is it necessary that a further adverse effect on the claimant has occurred, beyond the infringement of the provision as such?
(2) Under EU law, does the establishment of a claim for compensation for non-material damage under Article 82 (1) of the GDPR require an adverse effect of a certain magnitude?
(3) In particular, is it sufficient for the establishment of a claim for compensation for non-material damage under Article 82(1) of the GDPR that the claimant fears that his or her personal data have come into the hands of third parties as a result of infringements of provisions of the GDPR, even though that circumstance cannot be positively established?
(4) Is it in conformity with EU law for the national court to apply mutatis mutandis the criteria of the second sentence of Article 83 (2) of the GDPR - which, according to the wording, apply only to administrative fines - when assessing compensation for non-material damage under Article 82 (1) of the GDPR?
(5) Must the amount of a claim for compensation for non-material damage under Article 82 (1) of the GDPR also be assessed by reference to the fact that the amount of the claim awarded serves to have a deterrent effect and/or to prevent the “commercialisation” (calculated acceptance of administrative fines/compensation payments) of infringements?
(6) Is it in conformity with EU law, when assessing the amount of a claim for compensation for non-material damage under Article 82(1) of the GDPR, to take into account simultaneous infringements of national provisions which have as their purpose the protection of personal data but which are not delegated or implementing acts adopted in accordance with that regulation or Member State laws [specifying rules] of that regulation?’

Legislative Context

The CJEU considered recitals (85), (146) and (148) and  arts 4 (1), (7), (10) and (12), 79 (1) and 83 (3) and (5) of the GDPR as well as the following paragraphs of art 82:

"1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
......."

Judgment

The CJEU delivered judgment on 20 June 2024 (Case C‑590/22 AT and another v PS GbR and others ECLI:EU: C:2024:536, [2024] EUECJ C-590/22, EU: C:2024:536).

The First and Second Questions

The Court took the 1st and 2nd questions together.  In its view, the Amstgericht was asking whether art 82 (1) should be interpreted as meaning that the mere infringement of the GDPR would be sufficient to give rise to compensation or whether a claimant had also to show that the infringement had led to damage of a sufficient degree of seriousness.  

The CJEU has already held in para [32] of Case C‑300/2 UI v Österreichische Post AG [2023] WLR(D) 221, EU: C:2023:370, [2023] EUECJ C-300/21, ECLI: EU: C:2023:370 and para [34] of Case C‑741/21, GP v juris GmbH [2024] EUECJ C-741/21, ECLI: EU: C:2024:288, EU: C:2024:288 that it is clear from the wording of the article that the existence of ‘damage, whether material or non-material, constitutes one of the conditions for compensation under art 82 (1).  So, too, does the existence of an infringement and of a causal link between that damage and the infringement.  The three conditions are cumulative.

It follows that it cannot be held that any ‘infringement’ of the provisions of the GDPR, by itself, confers a right to compensation.  The answer to question 1 is that art 82 (1) of the GDPR must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.

The Third Question

The 3rd question was reframed as to whether art 82 (1) should be interpreted as meaning that a data subject's fear that his or her personal data had been disclosed to third parties without any certainty as to whether that had actually happened is sufficient to give rise to a claim for non-material damage under that article.  

Citing paras [30] and [44] of UI v Österreichische Post AG and para [64] of Case C‑687/21 BL v MediaMarktSaturn Hagen-Iserlohn GmbH, [2024] 1 WLR 2597, [2024] EUECJ C-687/21, ECLI: EU: C:2024:72, EU: C:2024:72, [2024] WLR(D) 53, the CJEU noted that the concept of ‘non-material damage’, within the meaning of art 82 (1), must be given an autonomous and uniform definition specific to EU law.  

The Court has already held in Case C‑340/21VB v Natsionalna agentsia za prihodite EU: C:2023:986, ECLI:EU: C:2023:986, [2024] WLR(D) 17, [2023] EUECJ C-340/21 and BL v MediaMarktSaturn Hagen-Iserlohn GmbH that the fear experienced by a data subject with regard to a possible misuse of his or her personal data by third parties as a result of an infringement of that regulation is capable, in itself, of constituting ‘non-material damage’, within the meaning of art 82 (1).  It added that the loss of control over personal data, even for a short period of time, may constitute ‘non-material damage’, within the meaning of art 82 (1), giving rise to a right to compensation, provided that the data subject can show that he or she has actually suffered such damage, however slight.

A person who considers that his or her personal data has been processed in breach of the relevant provisions of the GDPR and seeks compensation on the basis of art 82 (1)  must therefore prove that he or she has actually suffered material or non-material damage.  However,  a mere allegation of fear, with no proven negative consequences, cannot give rise to compensation.

The CJEU concluded at para [36] that the answer to the 3rd question is that art 82 (1) must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.

The Fourth and Fifth Questions

In the 4th and 5th questions the Amtsgericht asked whether art 82 (1) should be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, it is necessary, to apply the criteria for setting the amount of administrative fines laid down in art 83 mutatis mutandis and that a dissuasive function be conferred on the right to compensation.  The CJEU observed that arts 82 and 83 pursue different objectives. While art 83 determines the "general conditions for imposing administrative fines", art 82 governs the "right to compensation and liability."   The criteria set out in art 83 for the purposes of determining the amount of administrative fines cannot be used to assess the amount of damages under art 82 thereof (see para [57] ) of C‑741/21, GP v juris GmbH).  The answer to the 4th and 5th questions is that art 82 (1) must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in art 83, and, second, to confer on that right to compensation a dissuasive function.

The Sixth Question

In its 6th question, the Amtsgericht was asking whether art 82 (1) must be interpreted as meaning that, to determine the amount of damages due as compensation for damage based on that provision, account must be taken of simultaneous infringements of national provisions relating to the protection of personal data, but not intended to specify the rules of that regulation.  The Court ruled that it was not necessary to take account of simultaneous infringements of national provisions that relate to the protection of personal data, but which are not intended to specify the rules of that regulation.

The Ruling

The CJEU ruled as follows:

"1. Article 82 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that an infringement of that regulation is not, in itself, sufficient to give rise to a right to compensation under that provision. The data subject must also establish the existence of damage caused by that infringement, without, however, that damage having to reach a certain degree of seriousness.
2. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that a person’s fear that his or her personal data have, as a result of an infringement of that regulation, been disclosed to third parties, without it being possible to establish that that was in fact the case, is sufficient to give rise to a right to compensation, provided that that fear, with its negative consequences, is duly proven.
3. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary, first, to apply mutatis mutandis the criteria for setting the amount of administrative fines laid down in Article 83 of that regulation and, second, to confer on that right to compensation a dissuasive function.
4. Article 82 (1) of Regulation 2016/679 must be interpreted as meaning that, in order to determine the amount of damages due as compensation for damage based on that provision, it is not necessary to take account of simultaneous infringements of national provisions which relate to the protection of personal data but which are not intended to specify the rules of that regulation."

Comment

As this ruling was delivered after IP completion day, courts in England and Wales, Scotland and Northern Ireland are not bound by it or the principles contained in this judgment.  However, s.6 (2) of the European Union (Withdrawal) Act 2018, as amended, permits courts in those jurisdictions to have regard to it insofar as it is relevant to any matter before them.   This judgment will therefore be cited and considered in cases on the meaning and effect of art 82 of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) (Text with EEA relevance)).

Anyone wishing to discuss this case may call me on +44 (0)20 7404 5252 or send me a message through my contact form.

Data Protection Litigation: Pre-action Protocol for Media and Communications Claims

Jane Lambert

 

There has recently been a surge in claims by individuals seeking to enforce their rights under data protection legislation through litigation.  I have appeared in two such claims this week, one in London and another in the Thames Valley.  I have also advised in writing and in conference on several more. A surprising aspect of the surge is that the United Kingdom General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 are much more complicated than the Data Protection Act 1998 and the Data Protection Act 1984, which preceded them. Those Acts also provided rights of action, but they were used much less frequently than the present legislation.  Another surprise is the infrequency with which parties refer to the Pre-action Protocol for Media and Communications Claims, even though that protocol applies to all data protection claims.  In both of the cases in which I appeared this week, observance of the protocol would have made a significant difference to the outcome of the litigation.  

Effective Judicial Remedy

Art 79 (1) of the UK GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation) as modified by The Data Protecion, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) entitles data subjects to an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the regulation.  That includes a right under art 82 (1) to compensation from a controller or processor for any material or non-material damage that may arise as a result of such non-compliance.

Pre-action Protocols

Para 1 of Practice Direction - Pre-action Conduct and Protocols states that pre-action protocols explain the conduct and set out the steps the court would normally expect parties to take before commencing proceedings for particular types of civil claims. Para 2 warns that a person who knowingly makes a false statement in a pre-action protocol letter or other document prepared in anticipation of legal proceedings may be subject to proceedings for contempt of court.  Para 3 states that the objectives of pre-action conduct and protocols are to enable parties to disputes to:

"(a) understand each other’s position;
(b) make decisions about how to proceed;

(c) try to settle the issues without proceedings;
(d) consider a form of Alternative Dispute Resolution (ADR) to assist with settlement;
(e) support the efficient management of those proceedings; and
(f) reduce the costs of resolving the dispute."

Para 4 stresses that a pre-action protocol must not be used by a party as a tactical device to secure an unfair advantage over another party. Only reasonable and proportionate steps should be taken by the parties to identify, narrow and resolve the legal, factual or expert issues.  Para 5 adds that disproportionate costs in complying with any pre-action protocol are likely to be irrecoverable.  Para 6 states that where there is a relevant pre-action protocol, the parties should comply with it before commencing proceedings.  Para 8 reminds parties that litigation should be a last resort. As part of a relevant pre-action protocol, the parties should consider whether negotiation or some other form of ADR might enable them to settle their dispute without commencing proceedings.

Non-compliance with a protocol can be penalized in several ways.  For example, para 16 states that a party at fault may be ordered to pay costs on an indemnity basis or a successful party may be deprived of some or all of his or her costs.

Pre-action Protocol for Media and Communications Claims

Although it is not listed among the "Protocols in Force" in para 18 of PD-Pre-action Conduct and Protocols, para 1.1 of the Pre-action Protocol for Media and Communications Claims states that it applies to data protection claims, including those brought by litigants in person. If a party to a claim becomes aware that another party is a litigant in person, he or she should send a copy of the protocol to the litigant in person at the earliest opportunity.

The aims of the protocol listed in para 2.1 are similar to those of the practice direction, namely enabling parties to prospective claims to:

"(a) understand and properly identify the issues in dispute and to share information and relevant documents;
(b) make informed decisions as to whether and how to proceed;
(c) try to settle the dispute without proceedings or reduce the issues in dispute;
(d) avoid unnecessary expense and control the costs of resolving the dispute; and
(e) support the efficient management of proceedings where court proceedings cannot be avoided."

Para 3.1 requires intending claimants to notify intended defendants of their claims in writing at the earliest reasonable opportunity.   They are also reminded of the need for proportionality in formulating both the letter of claim and response in para 2.2:

"In formulating both the Letter of Claim and Response and in taking any subsequent steps, the parties should act reasonably to keep costs proportionate to the nature and gravity of the case and the stage the complaint has reached."

The following information should be included in the letter of claim: 

• the name of the claimant;
• the nature of and basis for the entitlement to the remedies sought by the claimant;
• any facts or matters relevant to England and Wales being the most appropriate forum for the dispute; and
• details of any funding arrangement in place.

Para 3.4 adds that letters of claim in data protection cases should also include:

•  "any further information necessary to identify the data subject;
• the data controller to which the claim is addressed;
• the information or categories of information which is claimed to constitute personal data including, where necessary, the information which is said to constitute sensitive personal data or to fall within a special category of personal data;
• sufficient details to identify the relevant processing;
• the identification of the duty or duties which are said to have been breached and details of the manner in which they are said to have been breached, including any positive case on behalf of the Claimant;
• why the personal data ought not to be processed/further processed, if applicable;
• the nature and any available details as to any particular damage caused or likely to be caused by the processing/breach of duty complained of; and
• Where a representative data protection claim is intended to be brought on behalf of data subjects, the letter of claim should also: set out the nature of the entity which intends to bring the claim and explain how it fulfils the relevant suitability criteria – see Article 80 of the General Data Protection regulation (GDPR); include details of the data subjects on whose behalf the claim would be brought; and, confirmation that they have mandated the representative body to represent them and receive compensation, where applicable."

Defendants are required by para 3.6 to provide a full response to the letter of claim, as soon as reasonably possible. If a defendant believes that he or she will be unable to respond within 14 days (or such shorter time limit as specified in the letter of claim), then he or she should specify the date by which he/she intends to respond.

Para 3.7 requires letters of response to include:

• "whether or to what extent the Claimant’s claim is accepted, whether more information is required or whether it is rejected;
• if the claim is accepted in whole or in part, the Defendant should indicate which remedies it is willing to offer;
• if more information is required, then the Defendant should specify precisely what information is needed to enable the claim to be dealt with and why;
• if the claim is rejected, then the Defendant should explain the reasons why it is rejected, including a sufficient indication of any statutory exemptions or facts on which the Defendant is likely to rely in support of any substantive defence;
• in a defamation or malicious falsehood claim, the defamatory or false imputation(s) the Defendant contends was conveyed by the statement complained of, if any; and
• where the Claimant to a proposed action has indicated his/her intention to make an application to bring the claim anonymously, the Defendant should indicate whether the Defendant accepts such an order would be appropriate and give an indication of the basis for the Defendant’s position."

Para 3.8 reminds parties that litigation should be a last resort, while para 3.9 suggests the following options for parties to data protection disputes:

"(a) without prejudice discussions and negotiations between the parties;
(b) mediation – a form of facilitated negotiation assisted by an independent neutral third party; [and]
(c) early neutral evaluation (ENE) – a third party giving an informed opinion on the dispute (for example, a lawyer experienced in the field of [data protection] or an individual experienced in the subject matter of the claim)......."

Para 3.10 mentions the need to consider offers under CPR Part 36.  If a dispute is not settled, para 3.11 encourages parties to undertake a further review of their respective positions, to consider the state of the papers and the evidence in order to see if proceedings can be avoided and, at least, narrow the issues between them which can assist efficient case management.  

Finally, parties are referred to other provisions which they might find useful, such as CPR Part 25: Interim Remedies and Security for Costs and CPR PD48 paragraphs 3.1 and 3.2: Part 2 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012 Relating to Civil Litigation Funding and Costs.

Further Information
Anyone wishing to discuss this article further may call me on 020 7404 5252 during UK office hours or send me a message through my contact form at any time.