A look at the relevant Irish Law in respect of data breaches and GDPR breaches.
In Ireland an individual is entitled to compensation from a data controller / processor in the event that there data has been breached and the data breach has been the fault of the data controller / processor.
Under Section 117 of the Data Protection Act:
Judicial remedy for infringement of relevant enactment
117. (1) Subject to subsection (9), and without prejudice to any other remedy available to him or her, including his or her right to lodge a complaint, a data subject may, where he or she considers that his or her rights under a relevant enactment have been infringed as a result of the processing of his or her personal data in a manner that fails to comply with a relevant enactment, bring an action (in this section referred to as a “data protection action”) against the controller or processor concerned.
(2) A data protection action shall be deemed, for the purposes of every enactment and rule of law, to be an action founded on tort.
(3) The Circuit Court shall, subject to subsections (5) and (6), concurrently with the High Court, have jurisdiction to hear and determine data protection actions.
(4) The court hearing a data protection action shall have the power to grant to the plaintiff one or more than one of the following reliefs:
(a) relief by way of injunction or declaration; or
(b) compensation for damage suffered by the plaintiff as a result of the infringement of a relevant enactment.
(5) The compensation recoverable in a data protection action in the Circuit Court shall not exceed the amount standing prescribed, for the time being by law, as the limit of that court’s jurisdiction in tort.
(6) The jurisdiction conferred on the Circuit Court by this section may be exercised by the judge of any circuit in which—
(a) the controller or processor against whom the data protection action is taken has an establishment, or
(b) the data subject has his or her habitual residence.
(7) A data protection action may be brought on behalf of a data subject by a not-for-profit body, organisation or association to which Article 80(1) applies that has been mandated by the data subject to do so.
(8) The court hearing a data protection action brought by a not-for-profit body, organisation or association under subsection (7) shall have the power to grant to the data subject on whose behalf the action is being brought one or more of the following reliefs:
(a) relief by way of injunction or declaration; or
(b) compensation for damage suffered by the plaintiff as a result of the infringement of the relevant enactment.
(9) A data subject may not bring a data protection action against a controller or processor that is a public authority of another Member State acting in the exercise of its public powers.
(10) In this section—
“damage” includes material and non-material damage;
“injunction” means—
(a) an interim injunction,
(b) an interlocutory injunction, or
(c) an injunction of indefinite duration.
In a similar vein, under Article 82 of GDPR:
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. 2A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).