An established legal liability results in a responsibility towards a claimant. Claimants must prove their position and the liability of the alleged wrongdoer. Once effectively established, a right to compensation may be granted to the claimant. In regard to the European GDPR Regulation, the right to compensation and liability is discussed in Article 82. The liability is independent from administrative fines imposed by supervisory authorities.
Under the GDPR Regulation, natural persons who suffered material or non-material damage caused by an infringement of the GDPR have a right for compensation. Controllers and processors of personal data are both subject to Article 82. The controller is liable for damage caused by processing which infringes the GDPR regulation. Processors, however, are only liable for damage caused by processing where it has not complied with obligations of the regulation specifically directed to processors. Additionally, processors can be held accountable for their acts outside or contrary to lawful instructions of the controller.
Exemptions from liability apply to controllers and processors of personal data are described in Article 2 of the Regulation. The article explains that the Regulation does not apply to the processing of personal data in the following four events. In the course of an activity which falls outside the scope of Union law. By the member states when carrying out activities which fall within the scope of Chapter 2 of Title V of the TFEU. By a natural person in the course of a purely personal or household activity. And by competent authorities for the purposes of the prevention, investigation detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
In the event that a controller and processor are involved in the same processing, both are responsible for the entire damage to ensure effective compensation to the data subject. Liability must be approved by the competent court. The appropriate court is established in the member state of the controller or processor, or the wronged data subject. Even though a controller and processor are both liable for the full compensation award, data subjects will not be paid the compensation amount twice. Processors and controllers are responsible for settlement of the award between each other after a payment is made to the data subject.