What Are Your Rights If Your Employer Breaches Your Data Privacy?
In this guide, we look at the justifications and evidence required to make employee data breach claims against Compass Group. You might already be aware that if a data breach causes you financial expense you could make a claim for data breach compensation. But you could also claim if an employee information data breach causes you psychological harm, which could include anxiety, stress and distress.
This is because there is data protection legislation in place to protect the privacy and security of your personal data. Laws such as the GDPR and the UK’s application of the GDPR in the Data Protection Act 2018 require those who process your personal data to take steps to protect it.
There are many ways in which you could experience data breaches. These could include someone sharing personal information without consent or a lawful reason, or a cyber-attack that leads to your data being hacked, for example.
A data breach could include someone leaving documents containing personal data on top of a filing cabinet, leading to someone accessing it that should not. Or, perhaps someone within the organisation accidentally sent your personal information to an unauthorised third party.
Whatever the reason for the employee data breach, GDPR allows victims who suffer harm from it to claim compensation.
How This Guide Could Help
This guide explains the data breach claim process in detail, offering guidance and support to those who’ve experienced such a breach. If anything within this guide is unclear, or you’d like to chat with us about making data breach claims, you could chat with us using the Live Chat service.
We would be happy to answer your questions. Alternatively, if you’d like to speak to a No Win No Fee data breach solicitor, the banner below connects you with Legal Expert, who could help you take such a claim forward.
Select A Section
- What Is The General Data Protection Regulation?
- Are Employees Of Compass Group Protected By The GDPR?
- What Are The Core Principles Of The GDPR?
- What Data Is Protected Under GDPR?
- How Can My Employer Breach Data Protection Laws?
- How Could Your Employer Breach The GDPR Principles?
- GDPR Data Breach Claims Against Compass Group
- Does My Employer Need My Consent To Share My Personal Information?
- What Can I Do If My Employer Breaches GDPR?
- What Is The Role Of The Information Commissioner’sOffice?
- The ICO’s Guidelines On Protecting Employee Data
- How Do I Report My Employer For A GDPR Breach?
- How Much Compensation Could I Receive For A GDPR Data Breach Claim Against Compass Group?
- No Win No Fee GDPR Data Breach Claims Against Compass Group
- Data Protection Breach Resources
- GDPR: FAQs For Employment Data Breaches
In 2018, arguably the most stringent data security and privacy law in the world came into force. The GDPR, or the General Data Protection Regulation, protects the data privacy of millions of people. Every data controller that processes the personal data of EU subjects must protect the security and privacy of this data.
The UK’s application of the General Data Protection Regulation is enshrined into UK law in the Data Protection Act 2018. Therefore, UK employers such as Compass Group should comply with it. A failure to do so could result in enforcement action (which could include fines) from the Information Commissioner’s Office (ICO). If a data breach occurs and victims suffer mentally or financially, they could seek compensation.
You may assume that using a good firewall and other cybersecurity software such as using a VPN (Virtual Private Network) or encryption would protect your data. But it isn’t just network security and computer security that GDPR covers. Employers should also take care to protect paperwork containing personal data.
They should also refrain from discussing personal information with other parties in earshot of those who are not authorised to hear it. A failure to protect your personal information in any of these ways could lead to you being able to make employee data breach claims. While you would only be able to claim if you’ve suffered damage because of the breach, this is not restricted to financial damage. You could also claim compensation for a privacy violation that led to you suffering emotional harm.
Employees of Compass Group could give their employer many different pieces of personal data before, during and after their employment. The ICO defines personal data as information that could identify you, either directly, or when someone combines it with other data.
It could include your email address, name, phone number, and even your IP address, ethnic origin or medical data, to name but a few examples. When you give such information to your employer, you are a data subject. As such, under GDPR you would have certain rights, including:
- Your right to personal data erasure
- A right to have data that is incorrect rectified
- The right to access your personal information
- Rights in relation to automated decision making and profiling
- A right to portability of your data
- The right to restrict an organisation’s processing of your data
- A right for the organisation to inform you about your personal data
- The right to object to an organisation processing your personal data
You can learn more about what these individual rights involve. If your employer breaches these data rights, and you can prove you suffered damage (emotional or financial), you could make employee data breach claims.
We’ve mentioned how strict and far-reaching GDPR is, but what should a data controller do to ensure it complies with this legislation? In general terms, there are 7 principles of GDPR that organisations should comply with, including:
- Storage limitation
- Transparency, fairness and lawfulness
- Purpose limitation
- Confidentiality and integrity (security)
- Data minimisation
You can read more about what these principles involve by visiting the website of the Information Commissioner’s Office. A failure of an organisation to adhere to these principles could lead to the ICO taking enforcement action. This could include hefty fines.
We have mentioned that as your employer, Compass Group could hold a lot of personal information about you. They could collect some of this data from a job application, during your enrolment, or throughout your employment with them. Examples include:
- Employment information. This could include holiday leave or disciplinary action for example.
- Medical information, including any chronic conditions you suffer from that your employer needed to know about.
- Personal information relating to your contact details, address, name, phone number or email address.
- Financial data, such as bank account information, for example.
It is vital that employers understand that the protection of personal data goes far beyond putting computer security and network security practices in place. They should also train employees on the importance of data protection, when it comes to computerised data as well as that in notebooks, on notes and in filing cabinets.
A failure to do so could leave an employer at risk of data breaches. And, if you’ve suffered harm financially or psychologically because of such a breach, this could lead to employee data breach claims.
This guide to employee data breach claims against Compass Group aims to give information to help you. If you have evidence of a valid claim, are interested in checking whether you could have a case, and wonder whether a data breach lawyer could help you, why not Live Chat with our advisors?
Data breaches are data security incidents that lead to personal information being:
- Made unavailable
- Accessed without authorisation, or unlawfully
- Destroyed, transmitted, disclosed, altered, processed or transmitted unlawfully or without authorisation
If you’re wondering how such breaches could happen, they could be accidental, or malicious in nature. Employee data breach claims could stem from:
- Phishing attacks that expose personal data
- A hacker using a bot, ransomware, DDoS attacks, or malware to breach your data privacy
- HR speaking about your medical information with management in earshot of your colleagues
- Payroll sending your bank details accidentally to another employee
These are just a few examples. If you have evidence of a justifiable claim, we could help advise you on what you could do about it. Simply click the Live Chat window to speak to us.
Data breaches can affect any organisation that processes personal information.
Compass Group Data Breach 2015
In 2015, it was reported that up to 70,000 consumers relating to the group may have had data, including payment card details, breached. The Compass Group were said to have found that unauthorised parties had infected point of sale kiosks at a variety of dining locations with malware. (Source:https://www.bankinfosecurity.com/pos-malware-victim-compass-group-a-8185)
While this does not represent an employee data breach, this could give you an idea of how serious a data breach could be. A malware victim could suffer financial harm by having their payment details compromised. Someone could make purchases in their name, or steal money from them. Victims of a data breach could also suffer stress and anxiety because of the breach.
What Else Could Cause Employee Data Breach Claims Against Compass Group?
A breach could occur due to a cybersecurity attack, such as the above or it could result from human error, such as an email being sent to an unauthorised person. It could even result from someone losing computer equipment that contains personal data, or leaving a filing cabinet unlocked with personal data on it.
Whatever the reason for a data breach, if it has harmed you through financial loss or mentally, you could claim.
The Data Protection Act 2018, and its application of the UK GDPR allows the victim of a data breach to claim compensation for non-material and material damages. Non-material damages compensate you for psychological harm and material damages compensate you for financial loss.
If no damage occurs, the victim of a data breach would not be able to make a claim for compensation. Successful claims would involve the claimant evidencing:
- A data breach occurred
- Their data privacy was breached in the incident
- They experienced financial expense due to the breach, or emotional harm
While it could be possible to claim data breach compensation without using a data breach solicitor, many claimants prefer legal assistance when making such claims.
Processing personal data without first getting consent could lead to employee data breach claims in some instances, but not in others. While Compass Group would need to obtain your consent to share your personal data in some instances, if it has a valid reason to share your data, this may not represent a breach. Valid reasons for sharing your data could include:
- For tasks in the public interest
- Reasons of vital interest (i.e. to protect someone’s life)
- To fulfil their legal obligations
- When they need to fulfil a contract
- For legitimate interests
If Compass Group breaches your personal data, and the breach risks your freedoms or rights, they should tell the ICO about the breach within 72 hours of it happening or its discovery. They should inform you of the breach too.
The information they should add in their report to the ICO includes:
- The nature of the breach
- Who to contact at the organisation about the data breach
- How many affected people and records there are
- What the consequences could be
- The category of records and people affected
- What they’re doing/have done to correct the situation
When an organisation has a data breach that doesn’t affect data subjects’ rights and freedoms, it isn’t legally bound to report it to the ICO. They must, however, retain their own accounts of such breaches.
The ICO, or Information Commissioner’s Office supports data rights of data subjects in the UK. The ICO could investigate data breaches, and if it finds an organisation has breached data protection law, it could take enforcement action. As we have mentioned, if an organisation breaches the GDPR, the ICO could issue hefty fines. These could be up to the greater of:
- 4 % of an organisation’s annual global turnover
- £17.5 million
However, the ICO would not issue compensation to victims of a data breach. Claimants could, however, find a data breach lawyer to help them make employee data breach claims if they suffer harm from a breach.
To help organisations understand data protection for employees, the ICO has created a code of practices. It gives guidance on the monitoring of employees and personnel records and health information. It re-iterates the fact that data protection is not limited to current employees. Organisations also have a responsibility to protect personal data of:
- Agency workers
- Applicants (unsuccessful and successful)
- Former employees
- Casual workers
- Previous applicants
You don’t have to be employed by the group now to start employee data breach claims. If you have evidence of a valid claim, you can talk with our advisors to see if you could be eligible for data breach compensation.
The ICO asks that you try to resolve complaints directly with the organisation if you’re not satisfied with how they’ve handled your data. Organisations do have an obligation to try and resolve data issues with you.
If you’re unhappy with what the organisation does about your complaint, you could escalate it to the ICO. However, you should not leave it too long to do so. You should contact the ICO about a data breach within three months of the organisation’s final communication on the matter. Leaving it any longer could affect how the ICO deal with your complaint.
When making employee data breach claims for a GDPR breach, you would not necessarily have to contact the ICO. You could find a data breach solicitor to aid you in claiming compensation.
The GDPR allows you to claim for both financial and psychological damages resulting from an employee data breach. Financial damage could relate to the cost of identity fraud or theft, for example. You could evidence that you’ve suffered this type of harm using bank statements and credits card bills, or other documentation.
But you could also claim for psychological harm you’ve suffered due to the data breach, even if there has been no financial loss. In Vidal-Hall and others v Google Inc  a legal precedent was set that could allow for this.
The Court of Appeal held that awards similar to those in personal injury cases involving psychiatric/psychological injuries could be compensated in such cases. Therefore, you could claim for anxiety, mental distress, and loss of sleep if you experience this damage due to a data breach, even if you don’t claim for financial loss.
Evidencing Your Injuries
To evidence your psychiatric injury, you would need to attend an assessment with an independent medical expert who would, based on your assessment, write a report. This report could provide vital medical evidence, and lawyers could use the report alongside the Judicial College Guidelines in valuations of your pain and suffering.
Figures showing what the Judicial College Guidelines recommend as compensation for such injuries are in the table below. This could present you with a very rough guideline as to how much you could claim.
|Injury Type||Guideline Amount||How Severe|
|A case with general psychological injury||£51,460 to £108,620||Severe|
|PTSD injury||£56,180 to £94,470||Severe|
|PTSD injury||£21,730 to £56,180||Moderately severe|
|A case with general psychological injury||£17,900 to £51,460||Moderately severe|
|PTSD injury||£7,680 to £21,730||Moderate|
|A case with general psychological injury||£5,500 to £17,900||Moderate|
|PTSD injury||Up to £7,680||Less severe|
|A case with general psychological injury||Up to £5,500||Less severe|
If you’re not sure how severe your injury is, or you’d like to talk to us about how courts and lawyers calculate compensation, why not use Live Chat to get in touch?
Making employee data breach claims doesn’t have to mean paying legal fees upfront. No Win No Fee data breach lawyers could take on your case with no upfront payment. Instead, they would ask for a small, legally capped success fee from your compensation payout. And they’d only ask for it if your case wins.
The process would generally work as per the below:
- Your data breach lawyer would ask you to sign a Conditional Fee Agreement (the formal term for a No Win No Fee agreement). You’d find details of the success fee within the document. It’s a small percentage of your total settlement.
- The lawyer could start on your claim once they receive your signed agreement. They’d negotiate with the liable party or their insurers for a payout. If your case needed to go through the courts, your lawyer would support you through this.
- When your compensation payout comes through, they’ll deduct the agreed success fee, and you would benefit from the balance.
- If your No Win No Fee claim didn’t bring you compensation, you would not need to pay any solicitor fees.
To connect with a No Win No Fee lawyer, why not click the banner below to speak to Legal Expert, who could help you launch a data breach claim? If you’d prefer to chat to our advisors, we’d be happy to offer you further guidance. All you need to do to contact us is use the contact form or our Live Chat service.
Here, you can find some more resources if you’d like to keep reading about this subject or related subjects.
Time Limits For Responding – This ICO guide offers insight into how quickly you should receive a reponse from an organisation.
Action Taken– ICO actions that have been taken can be found here.
Data Security Trends – You can read about what industries and sectors have been affected by breaches here.
Agency Workers – This guide explains agency workers’ rights.
Your Work Rights – A guide about workplace rights for employees.
Employee Data Breach Claims – Our general guide to data breach claims can be found here.
Do I Need To Contact The ICO?
You do not need to contact the ICO to make employee data breach claims. Instead, you could attempt to take the matter up with the organisation yourself. Or, you could find a data breach lawyer to help you.
What Evidence Do I Need?
You would need evidence that a breach happened and you’d also need to evidence the harm you suffered. This could involve financial evidence and medical evidence.
Should I Report My Employer To The ICO?
If your employer doesn’t respond satisfactorily to your data breach complaint, you could opt to escalate your claim by reporting it to the ICO. However, you don’t have to make a report to the ICO to make a data breach claim.
How Long Will It Take Me To Get Compensation?
How long your claim takes would depend on a number of factors including whether the other party admitted liability. In complex cases, or where your employer disputes liability, claims could take some time. If your employer admits liability and offers compensation, your case could be over relatively swiftly.
Thanks for reading our guide to potential employee data breach claims against Compass Group.
Guide by JEF
Edited by VIC