Currently, ten WAMCA cases are pending involving foundations seeking compensation for alleged GDPR violations. The debate over whether compensation claims can be pursued through WAMCA proceedings for GDPR breaches has persisted for years. Under WAMCA, a representative organization acts on behalf of individuals who may have suffered harm, but not specifically on their instruction or with a power of attorney. The key issue is how this aligns with the relevant GDPR provisions.
Article 80(1) GDPR states that data subjects have the right to authorize a non-profit organization to file complaints on their behalf, exercise rights under Articles 77, 78, and 79, and seek compensation under Article 82.
In its 2022 Meta ruling, the ECJ set a relatively low threshold for organizations to represent individuals’ collective interests under Article 80(2) GDPR. The Court emphasizes that it is not necessary to identify in advance which individuals might have been affected.
Some authors believe the Meta ruling clearly indicates that damages can be claimed under the WAMCA for alleged GDPR violations, even without specific instructions. Others contend that the ruling merely confirms that Article 80(2) of the GDPR does not require organizations to identify the individuals they represent in advance. However, it remains uncertain whether mass claims for GDPR breaches should be permissible on an opt-out basis.
It is important to note that Article 80(2) of the GDPR does not allow for claims of compensation. It pertains to the right to complain to the appropriate supervisory authority, regardless of any instructions from the individual. The Meta ruling also does not clearly specify whether a claims organization can seek damages for a GDPR violation without an explicit mandate.
Stichting Data Bescherming Nederland v Amazon
On July 23, 2025, the Rotterdam District Court issued an interim ruling in the case of Stichting Data Bescherming Nederland (SDBN) against Amazon. The court has referred questions to the European Court of Justice.
Both the WAMCA and the GDPR establish eligibility criteria for advocacy groups seeking to initiate collective actions. While these requirements overlap to some extent, they are not entirely aligned. For instance, Dutch advocacy organizations must, according to Article 3:305a, paragraph 2, of the Civil Code, be sufficiently representative in terms of support and the scope of claims, whereas Article 80, paragraph 1, of the GDPR does not specify any representativeness criteria.
Therefore, when it comes to GDPR claims, Dutch advocacy groups face more stringent requirements under the WAMCA. The Court sees these additional rules as a restriction compared to Article 80, paragraph 1, of the GDPR. The question it is asking the ECJ is whether the WAMCA hinders the effective enforcement of the GDPR.
Article 82 of the GDPR addresses the right to compensation, but it is not explicitly referenced in Article 80(2). It could be inferred that, for this reason, the member states may not allow interest groups to claim compensation for a GDPR violation without the mandate of the parties involved. The ECJ also needs to resolve this question.
