Liability

In case of a data protection breach, the data controller can be held liable.

Feb 15, 20221 min read

The GDPR aims to be not just a set of rules on paper. Instead, Art. 82 gives a right to compensation to any person having suffered damages as a result of infringement of the data protection rules. This includes immaterial damages, e.g. for reputation or image.

The idea is to give the GDPR some teeth by interpreting this right broadly. Courts in the EU member countries indeed do this by awarding high damages.

Liability rests with controller or processor of personal data. Recent decisions, however, use a broad interpretation of who actually is a "controller", sometimes including the management of a company, creating a joint and several liability.