We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

GDPR breach doesn’t automatically pay out
22 Jan 2026 data law Print

GDPR breach doesn’t automatically pay out

The Circuit Court has dismissed a data-breach claim brought by a prison officer against the Irish Prison Service (IPS), ruling that "mere upset" caused by a GDPR infringement does not entitle a person to financial compensation.

The decision in Walsh v Irish Prison Service [2025] IECC 8, provides significant clarity for employers and data controllers, reaffirming that plaintiffs must prove genuine, non-trivial harm to secure damages for emotional distress.

Mistaken identity

A note on the Matheson website explains that the dispute began in November 2018 when the plaintiff, prison officer Mark Walsh, applied for a promotion.

Due to an administrative error, the IPS emailed his interview scoring sheet and ranking – showing he placed 17th on the panel – to a different officer with the same name at a separate facility.

The error was discovered a month later when the recipient contacted the plaintiff to alert him.

While the IPS admitted the breach and apologised, Walsh sued for "non-material damage", alleging the leak caused him anxiety, disturbed sleep, and taunts from colleagues.

‘Upset’ vs legal damage

Judge Fergus dismissed the claim, citing the Kaminski guidelines, a set of legal principles established in 2023 to evaluate non-material damage.

The court noted several fatal flaws in the plaintiff's case:

  • No medical evidence: The plaintiff provided no medical reports or expert testimony to support his claims of anxiety or sleep loss,
  • Vague allegations: While he claimed to have been mocked by co-workers, he could not identify specific individuals who had targeted him,
  • No career impact: The court observed that the plaintiff did not miss work and was successfully promoted to the role just nine months later.

Takeaways 

The court highlighted that:

  • An apology and prompt remedial action can significantly mitigate a defendant's liability,
  • A mere infringement" of the GDPR does not automatically lead to a payout.
  • While there is no "minimum threshold" of seriousness for a claim to exist, "mere upset, anxiety, and embarrassment" are generally not enough to warrant compensation.

The judgment follows a trend in Irish courts to keep GDPR awards ‘modest’, typically ranging from €2,000 to €7,500 only in cases where genuine, proven distress is established  

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data law
Monitor British data rules, commission urged

EDPB welcomes ‘continuing alignment’ on frameworks
data law
Data bodies see risks in EU’s GDPR proposals

'Change goes further than recent CJEU case law'

data law
Microsoft faces ICCL data complaint on Gaza

Tech ‘enables mass surveillance of Palestinians’

data law
GDPR breach doesn’t automatically pay out

Apology and remedial action mitigates liability
Copyright © 2026 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.