GDPR breach doesn’t automatically pay out
22 Jan 2026 data law Print

GDPR breach doesn’t automatically pay out

The Circuit Court has dismissed a data-breach claim brought by a prison officer against the Irish Prison Service (IPS), ruling that "mere upset" caused by a GDPR infringement does not entitle a person to financial compensation.

The decision in Walsh v Irish Prison Service [2025] IECC 8, provides significant clarity for employers and data controllers, reaffirming that plaintiffs must prove genuine, non-trivial harm to secure damages for emotional distress.

Mistaken identity

A note on the Matheson website explains that the dispute began in November 2018 when the plaintiff, prison officer Mark Walsh, applied for a promotion.

Due to an administrative error, the IPS emailed his interview scoring sheet and ranking – showing he placed 17th on the panel – to a different officer with the same name at a separate facility.

The error was discovered a month later when the recipient contacted the plaintiff to alert him.

While the IPS admitted the breach and apologised, Walsh sued for "non-material damage", alleging the leak caused him anxiety, disturbed sleep, and taunts from colleagues.

‘Upset’ vs legal damage

Judge Fergus dismissed the claim, citing the Kaminski guidelines, a set of legal principles established in 2023 to evaluate non-material damage.

The court noted several fatal flaws in the plaintiff's case:

  • No medical evidence: The plaintiff provided no medical reports or expert testimony to support his claims of anxiety or sleep loss,
  • Vague allegations: While he claimed to have been mocked by co-workers, he could not identify specific individuals who had targeted him,
  • No career impact: The court observed that the plaintiff did not miss work and was successfully promoted to the role just nine months later.

Takeaways 

The court highlighted that:

  • An apology and prompt remedial action can significantly mitigate a defendant's liability,
  • A mere infringement" of the GDPR does not automatically lead to a payout.
  • While there is no "minimum threshold" of seriousness for a claim to exist, "mere upset, anxiety, and embarrassment" are generally not enough to warrant compensation.

The judgment follows a trend in Irish courts to keep GDPR awards ‘modest’, typically ranging from €2,000 to €7,500 only in cases where genuine, proven distress is established  

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data law
CCPC registers first ‘data-altruism’ body

Go-ahead for DCU energy initiative under EU act
data law
EU bodies urged to reject GDPR change

Overreach ‘narrows personal-data concept’

data law
DPC launches probe into X’s Grok images

Focus will be on platform’s obligations under GDPR
data law
The efficiency paradox

AI-enhanced features can lead to GDPR breaches
Copyright © 2026 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.