In this post we will discuss the circumstances under which a company is held liable following a data breach; explore the extent to which claimants can receive compensation; and articulate some suggestions to ensure that this is avoided. Essentially, under the GDPR, any individual who is subject to personal data violation will be entitled to receive compensation. As explained in the legislation, Article 82:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Under previous data protection legislation, claims for compensation following data breaches could only be brought against the data controller, regardless of the data processor’s involvement. Under the GDPR however, data subjects are extended the right to compensation from either, or both, the data controller or the data processor, to ensure that those liable face the consequences.
The processor will be held liable if they have not complied with the obligations of the regulation or have acted contrary to the lawful instructions of the controller. It is therefore advised that both the controllers’ and the processors’ obligations are clearly defined, to ensure that they are protected from unnecessary pay-outs should there be a non-compliance issue.
When both data controller and the data processor are involved…
GDPR legislation stipulates that the claimant can potentially have a choice of defendant, whether it be the data controller or the data processor. This provision ensures that the data subject receives full compensation for a breach of their data, as quickly as possible. Their decision might be based on who they believe to be easier to sue or more likely to pay out, and it is then up to the defendant to claw back compensation from the other parties involved. The purpose of this clause is to ensure that the claimant is effectively compensated and is not unnecessarily involved in the defendant’s lawsuit.
Compensation for both material and non-material damage
Claimants can seek compensation under the concept of “non-material, or moral damage”. Even if they have not suffered a financial loss consequence to an infringement of the GDPR, the claimant is entitled to compensation. This could include a claim for (but not limited to): distress, anxiety or reputational damage.
Exemptions from liability
If a data controller or processor can prove that they are “not in any way responsible” for a breach, then they may be exempt from liability for compensation. They will be required to demonstrate that they did everything that they reasonably could to protect the data subjects; not only complying with GDPR minimum standards, but also evidencing adequate audit trails.
What can we take away from this?
Well, as evidenced in this article and the others in this series, strict GDPR compliance is essential. Stringent and frequent audits on data processing are advised, and clear contracts defining data controllers and data processors responsibilities are key. This will ensure that in the case of non-compliance, only those who are responsible will be accountable for paying the corresponding compensation.
In the previous article on enforcement, we discussed the severity of the fines that can be incurred following a non-compliance issue. To reiterate, these can reach up to 20 million Euros, or 4% of the total worldwide annual turnover of the preceding year, dependent upon which one is higher. With the potential compensation and litigation costs added, it is evident that compliance is not to be taken lightly.
Next month we will be providing a summary, and some preparation and insurance advice. If you would like to discuss the GDPR further please get in contact with us via: firstname.lastname@example.org