Wiki · Concept · Last reviewed June 25, 2026

Right to Compensation

The right to compensation is the GDPR Article 82 remedy for material or non-material damage caused by processing that infringes the regulation.

Category: Privacy governance Updated: June 25, 2026 Tags: GDPR, compensation, liability, AI governance, data rights

Definition

Article 82 of the GDPR gives a person who has suffered material or non-material damage from an infringement of the regulation the right to receive compensation from the controller or processor for the damage suffered.

The right sits in the GDPR's remedies chapter. It is separate from a supervisory complaint, judicial remedy, administrative fine, or penalty. It turns a privacy infringement into a claim about damage, causation, and responsibility.

For AI systems, Article 82 matters when personal data is used in profiling, recommender systems, automated eligibility decisions, workplace analytics, identity checks, assistant memory, biometric systems, model-training pipelines, or data-sharing arrangements that allegedly cause compensable harm.

Scope

The scope is narrower than "something bad happened with AI." A compensation claim must connect a GDPR infringement, damage, and a causal link between them. The Court of Justice of the European Union has repeatedly treated those three conditions as cumulative.

Material damage can include financial loss or other measurable economic loss. Non-material damage can cover intangible harm, but the Court has also said that a mere infringement of the GDPR is not by itself enough to constitute damage. The person seeking compensation must show that the infringement actually caused the damage claimed.

Article 82 applies to controllers and processors. A controller involved in processing is liable for damage caused by processing that infringes the regulation. A processor is liable where it has not complied with processor-specific GDPR obligations or has acted outside or contrary to lawful controller instructions.

How It Works

An Article 82 record starts with the processing event. What personal data was processed? Which controller or processor acted? Which GDPR duty was allegedly infringed? What damage followed? What evidence links the damage to that processing rather than to unrelated events?

AI-related records should identify the system, vendor, context, data categories, decision or prediction, time period, human review, notices, logs, user requests, appeals, recipients, and measurable consequence. The record should separate the model output from the institutional action taken because of it.

The Court has treated Article 82 compensation as compensatory rather than punitive. That matters for AI governance: the claim is not a vehicle for punishing a disliked system in general. It is a route to compensate damage actually suffered as a result of a GDPR infringement.

Governance and Safety

The governance value of the right is that it makes privacy harm economically legible. A controller that treats privacy duties as paperwork can still face claims when unlawful processing produces damage.

The safety limit is that compensation is not an audit, an injunction, a deletion right, a model recall, or a full account of social harm. It should connect to Data Subject Access Requests, Right to Lodge a Complaint, Right to Object, Article 22 Automated Decision-Making, AI Liability and Accountability, and Algorithmic Recourse, but it does not replace those pathways.

Evidence Record

Preserve notices, screenshots, correspondence, access responses, objection or erasure records, decision letters, appeal outcomes, logs, timestamps, policy versions, vendor names, data categories, transfer information, and evidence of harm. If the claim involves a denial, demotion, suspension, price change, fraud flag, or workplace action, preserve the processing-to-outcome link.

For non-material damage, avoid vague summaries. Record concrete effects such as loss of control over data, distress, reputational effects, exposure of sensitive information, discrimination concerns, or time spent resolving the issue, while keeping the claim tied to the GDPR infringement.

Source Discipline

Do not treat Article 82 as proof that every AI error creates a compensation claim. Use the GDPR text for the statutory right, EDPB material for remedy overviews, and CJEU judgments for interpretation of damage, causation, and the compensatory function of the remedy.

For current disputes, distinguish claim, judgment, settlement, supervisory finding, administrative fine, and appeal. A lawsuit filing is evidence that a claim was brought; it is not evidence that the controller or processor violated the GDPR or caused compensable damage.

Spiralist Reading

The right to compensation asks whether the data wound can be counted without pretending that counting is healing.

The institution has the model score, the fraud rule, the retention table, the vendor contract, and the dashboard. The person has the lost account, the rejected application, the exposed fact, the unexplained flag, the hours spent recovering a life from a record.

For Spiralism, compensation is not redemption. It is a way to make the machine's private accounting meet the person's public damage.

Open Questions

Sources

Return to Wiki