On 5 December 2025, the Circuit Court in Walsh v Irish Prison Service [2025] IECC 8, delivered another significant decision concerning compensation for non-material damage under the GDPR in Ireland.
The court applied the guidelines set out in Kaminski v Ballymaguire Foods [2023] IECC 5 (discussed previously here) and dismissed the plaintiff’s claim on the basis that the plaintiff had suffered no more than “mere upset”.
The decision will be welcomed by defendant data controllers and processors faced with claims under section 117 of the Data Protection Act 2018 and Article 82 GDPR, as it provides further clarity on when compensation will be payable. It also importantly, confirms that damages are not recoverable in every case where there has been a data breach, even where such a breach is admitted.
Background
The plaintiff is a prison officer who interviewed for the job of Chief Officer with the Irish Prison Service. As part of the interview process, the plaintiff was scored following the interview and was placed at No. 17 on the panel. The plaintiff’s scoring sheet and panel position was subsequently emailed in error to another prison officer with the same name, who brought the error to the attention of the plaintiff. The Irish Prison Service’s Data Protection Administrator subsequently sent an email to the plaintiff apologising for the error and giving assurances that this type of error would not occur again. The plaintiff then issued proceedings under Article 82 GDPR and Section 117 of the Data Protection Act 2018. The plaintiff gave evidence that he had entered the competition without telling anyone as he had been unsuccessful in past interviews, and that the incident resulted in taunts from colleagues, causing him distress, anxiety and disturbed sleep. Notably, the plaintiff failed to produce any medical evidence to support his claim that he suffered sleep disturbance, nor did he identify any specific person as having taunted him.
Issues to be considered
The key issue for the court to consider was therefore not liability for the breach itself, as the defendant had admitted to the breach, but whether the plaintiff had demonstrated compensable non-material damage arising from the breach. The court stated that the questions it had to consider were “on all fours” with the Kaminski guidelines, as follows:
- Was the email sent to another prison officer with the same name a breach of the plaintiff’s personal data such as to constitute an unlawful processing under the 2018 Act and GDPR?
- If the answer is yes, did the damage go beyond “mere upset or displeasure” as a result of the infringement of the plaintiff’s person data?
- If the answer is yes, what if any compensation is recoverable?
Decision
Applying the Kaminski guidelines:
- The court found that the non-material damage in this case resulted in some discomfort and embarrassment for the plaintiff in the workplace, but it was not satisfied that the threshold beyond “mere upset” had been reached.
- It also found there was no evidence of a causal link between the breach and the alleged damage.
- The court was satisfied that a full apology had issued and steps were taken to address the plaintiff’s concerns within a reasonable timeframe.
Whilst dismissing the claim, the court was satisfied that it was an appropriate case in which to exercise its discretion to make no order as to costs.
Key takeaways
The decision adds to the growing body of recent Irish case law dealing with non-material damage claims under the GDPR. It shows consistency in the court’s approach, reaffirming the now well-established principle that mere infringements of the GDPR will not necessarily give rise to compensation in themselves, and that “mere upset” alone is not compensable. It also clearly signals and clarifies that, in appropriate cases, an apology may well be sufficient to address any harm suffered by the plaintiff, or at the very least will be a strong mitigating factor.
For organisations faced with these types of claims, it demonstrates the value in: (i) acknowledging and responding to infringements in a timely manner; (ii) issuing an apology where appropriate; (iii) informing the impacted data subjects of steps taken to address the infringement and negate/mitigate adverse effects.
Looking ahead to 2026 and beyond, we anticipate that the courts will continue to take a consistent approach in the application of the Kaminski guidelines, which will hopefully provide even further clarity on the circumstances in which compensation will be payable. In practice, in defending these types of claims, we have observed a disconnect between plaintiffs’ expectations and the level of damages actually awarded by the courts. We anticipate that this gap will narrow as more decisions are published clarifying the circumstances in which compensation will be justified, and indicative levels of damages. Even where plaintiffs can establish non-material loss beyond mere upset, but falling short of a recognised psychiatric injury, they cannot expect anything other than “very, very modest awards” as confirmed by the Supreme court in Dillon v Irish Life Assurance PLC [2025] IESC 37.
Contact us
If you have any queries on this decision, or if you would like to discuss how it may affect your organisation’s approach to defending data breach claims, please do not hesitate to contact us.
For more information, please contact any member of our Disputes & Investigations Group or our Technology & Innovation Group.