|1||82.||Article 82||GDPR 82|
|2||82.||Right to compensation and liability||GDPR 82|
|3||82.1||1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.||GDPR 82|
|4||82.2||2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.||GDPR 82|
|5||82.3||3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.||GDPR 82|
|6||82.4||4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.||GDPR 82|
|7||82.5||5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.||GDPR 82|
|8||82.6||6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).||GDPR 82|
|Item||Reference||Articles which affect Article 82||Link|
|9||4.(1)||(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;||GDPR 4|
|10||4.(2)||(2) 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;||GDPR 4|
|11||4.(7)||(7) 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;||GDPR 4|
|12||4.(8)||(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;||GDPR 4|
|13||28.10||10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.||GDPR 28|
|Item||Reference||Sections of the Data Protection Act 2018 which affect Article 82||Link|
|14||s. 168||Compensation for contravention of the GDPR||DPA s.168|
|15||s. 168||(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), "non-material damage" includes distress.
(2) Subsection (3) applies where-
(a) in accordance with rules of court, proceedings under Article 82 of the GDPR are brought by a representative body on behalf of a person, and
(b) a court orders the payment of compensation.
(3) The court may make an order providing for the compensation to be paid on behalf of the person to-
(a) the representative body, or
(b) such other person as the court thinks fit.
|16||s. 169||Compensation for contravention of other data protection legislation||DPA s.169|
|17||s. 169||(1) A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2) Under subsection (1)-
(a) a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b) a processor involved in processing of personal data is liable for damage caused by the processing only if the processor-
(i) has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii) has acted outside, or contrary to, the controller’s lawful instructions.
(3) A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4) A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5) In this section, "damage" includes financial loss and damage not involving financial loss, such as distress.
|Item||Reference||GDPR Recitals which affect Article 82|
|18||Recital 146||(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.|
|19||Recital 147||(147) Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council (13) should not prejudice the application of such specific rules.|
|Item||Reference||Related Guidance which affects Article 82|
|20||ICO guidance on Contracts between Controllers and Processors [in brief]||Guidance|
|21||ICO guidance on Contracts between Controllers and Processors [more detailed]||Guidance|