No compensation for data breach

Last updated on 17 February 2026

An employee’s laptop was stolen from the workplace over the weekend. The theft triggered a data breach as data was stored locally. The data included large amounts of personal information, resulting in notifications to both the Danish Data Protection Agency and the data subjects. Some of those concerned subsequently raised claims, but the Danish Supreme Court rejected that there were grounds for compensation.

A municipality processed a spreadsheet with personal information on approximately 20,000 citizens as part of verifying reimbursements it had issued. The spreadsheet contained a range of data, including names, social security numbers, addresses, and social benefits.

One weekend, the workplace was burglarised. In this connection, the laptop where the spreadsheet had been saved was stolen, along with several other items. The spreadsheet had been stored locally without encryption, and the municipality reported the theft as a data breach. After being notified of the incident, some of those affected claimed compensation, as they felt violated by the incident.

The municipality had breached the data protection rules. It had not adequately secured the personal data involved in the breach. Despite its internal instructions, the employee had been forced to save the data locally because of the spreadsheet's size. The laptop was only protected with a username and a password. Neither the hard drive nor the spreadsheet had been encrypted. There had been previous incidents of burglary at the workplace.

Despite the breach of the data protection rules, the Supreme Court rejected the claim for compensation. There was no evidence of actual damage resulting from the negative feelings and consequences highlighted by the citizens. They had also not proven a direct link between those experiences and the data breach. Several explained that they felt fearful and nervous because of the breach. One explained that she had been the victim of identity theft a few months after the breach. The Supreme Court emphasised that, aside from the explanations, there was no actual evidence to document any damage.

iuno's opinion

Breach of the data protection rules can trigger compensation to data subjects when the damage is a direct result of non-compliance. There is no minimum threshold as to the extent of the damage required to initiate a claim. Damage can also take many forms, including loss of control of the data, identity theft, or discrimination. However, as the Supreme Court also made clear in this case, the link and the damage must be proven and documented.

iuno recommends that your company, as a data controller, is aware that the default is liability for non-compliance with the data protection rules. Generally, that also applies even if an employee causes a data breach by storing data locally or losing a laptop, despite internal instructions in place.

[Supreme Court ruling of 19 December 2025, in cases BS-14485/2025-HJR, BS-14653/2025-HJR, BS-15152/2025-HJR, and BS-16195/2025-HJR]