Can I claim compensation for anxiety and stress after a data breach?

Yes, the Court of Justice of the European Union has confirmed that negative feelings such as fear, stress or dissatisfaction following a breach of your personal data can entitle you to compensation. The mere fear of misuse of your data or loss of control may suffice, without having to prove a minimum threshold of severity. This significantly lowers the threshold for victims of data breaches.

The facts: an out-of-control job application

The case that led to the judgment of 4 September 2025 (Case C-655/23, IP v. Quirin Privatbank AG) was remarkably straightforward. An applicant, IP, negotiated his wage terms with Quirin Privatbank. An employee of the bank accidentally sent a message rejecting his wage demands and a counterproposal to the wrong person via a professional social network. This third party happened to know the applicant from a previous work experience and forwarded the message to him.

The applicant felt humiliated and was concerned that this confidential information would circulate in his professional circle, which could put him at a competitive disadvantage in the future. He went to court and demanded two cases:

1. A ban for the bank from making another such mistake in the future.
2. Compensation of €1,000 for the moral damage suffered (stress, humiliation, fear).

The German courts were divided. The first judge granted both claims, but on appeal ruled that the "humiliation" was not severe enough to qualify as damages. Ultimately, Germany's highest federal court referred the issue to the European Court of Justice

The decision of the Court of Justice

On 4 september 2025, the Court handed down a ruling that significantly strengthens the rights of victims of data breaches. The essence of the decision can be summarized in four points:

1. Qualifying negative feelings as "moral harm" The Court held that the term "non-material damage" in Article 82(1) of the General Data Protection Regulation (GDPR) should be interpreted broadly. Negative feelings such as fear, anxiety, annoyance, displeasure or humiliation may suffice. While the victim must prove that these feelings are a direct result of the GDPR breach, there is no minimum threshold. Thus, even minor, but proven, moral damages are eligible for compensation.

2. The severity of the fault is irrelevant to the amount of compensation The Court clearly states that compensation under Article 82 GDPR has an exclusively compensatory function. The aim is to fully compensate the victim for the damage suffered, not to punish the company. Therefore, the degree of fault of the controller (was it intentional or mere negligence?) should not play a role in determining the amount of compensation. Compensation is based solely on the extent of the proven harm to the victim.

3. A ban for the future is not a GDPR right, but can be done through national law The GDPR itself does not explicitly provide a right for an individual to seek a preventive injunction through the courts against a company to repeat a breach. However, the Court stated that the GDPR does not prevent member states from to provide such a remedy in their own national legislation. In Belgium, for example, it could be argued that such a prohibition could possibly be requested through article 18, second paragraph Judicial Code .

4. An injunction and damages are separate A preventive injunction and compensation serve completely different purposes. The injunction is preventive (future-oriented), while compensation is compensatory (aimed at repairing damage already suffered). Therefore, obtaining an injunction can never reduce or replace financial compensation.

Legal analysis and interpretation

This judgment is perfectly in line with previous case law of the Court (such as the case of Österreichische Post, C-300/21), but refines and confirms the principles. The trend is unmistakable: protecting the individual and strengthening their rights under the GDPR is key.

The clear separation between the compensatory function of Article 82 GDPR (compensation for the victim) and the punitive function of Article 83 GDPR (administrative fines imposed by the regulator) is legally crucial. Thus, a company can be hit twice: a high fine from the Data Protection Authority as well as compensation claims from aggrieved citizens. The intent or negligence of the company is only relevant to the amount of the fine, not the individual compensation.

The most significant shift for legal practice is the focus on proving damages. Whereas previously the discussion was often about whether feelings such as "fear" could constitute harm, the focus will now be on the question: has the victim sufficiently demonstrated that he/she actually experienced this fear as a result of the infringement? It is up to the national courts to assess this on a case-by-case basis.

What this specifically means

For victims (data subjects):

• Your rights have been strengthened: You do not have to prove financial or property damage to claim compensation. Moral damages, such as the fear that your data will be misused, will suffice.
• Document everything: Keep a journal of your feelings and concerns after learning of a data breach. When did you feel anxious? What did you worry about? This can serve as evidence.
• The company's fault is not your concern: You do not have to prove that the company was willfully or severely at fault to receive full compensation for your damages.

For companies (data controllers):

• Prevention is crucial: The risks are greater than ever. Even a small, unintentional human error can lead to legitimate damage claims. Invest in technical measures and thorough training of your staff.
• The “sorry” defense is not always sufficient: An apology is not an automatic release that frees you from compensation. However, the ECJ does recognize that apologies can constitute “adequate compensation” for non-material damages. The hard condition is that these apologies - under domestic law - “fully and effectively” compensate for the harm suffered. So a court will have to consider whether a ‘sorry’ really does fully restore the victim's stress or anxiety.
• Review your insurance policies: Check whether your cyber or liability insurance adequately covers these types of claims for intangible damages, with no threshold of severity.

FAQ (frequently asked questions)

How much compensation can I get for moral damages?
There are no fixed amounts. Compensation must be "complete and actual" and is determined by the court based on the concrete damages proven. For minor damages, the compensation may be symbolic, but for severe anxiety or reputational damage, the amounts may be substantial.

Do I have to prove that the company intentionally made a mistake?
No. The degree of fault is not relevant to the right to and amount of compensation. The GDPR provides for a presumption of fault. It is up to the company to prove that it is in no way responsible for the damages (a very high burden of proof).

Can I force a company to prevent a data breach in the future?
Although the GDPR does not provide this as an enforceable right for citizens, Belgian law may provide options for seeking a preventive injunction. However, this is separate from your right to compensation and requires a separate legal analysis.

Conclusion

The ruling in the Quirin Privatbank case confirms that the protection of personal data is a fundamental right with concrete consequences. Victims of data breaches and other privacy breaches are in a stronger position than ever to seek compensation for the emotional impact, such as stress and anxiety. For companies, the message becomes even clearer: a proactive and watertight data protection policy is not a luxury, but an absolute necessity to avoid significant financial and reputational risks.