GENERAL DATA PROTECTION REGULATION AND DATA PROTECTION ACT 2018

This table contains extracts and summaries of legislation using among other things the headings of paragraphs in the Schedules to the UK Data Protection Act 2018 ('DPA'). After identifying relevant paragraphs in those Schedules, users of this table should always use the DPA links provided to refer to the full text of those paragraphs, in order to identify their precise scope and to identify the 'listed GDPR provisions'. (See Summary of Data Protection Act 2018 for further explanation.)

This table sets out extracts from the official version of the GDPR and the original version of the DPA. It does not yet set out the amendments made to the GDPR and the DPA, effective within the UK as from the date of Brexit, by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419. See the Brexit page for further information regarding Brexit.

Item Reference       Article 82 Link
1 82. Article 82 GDPR 82
2 82. Right to compensation and liability GDPR 82
3 82.1 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. GDPR 82
4 82.2 2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. GDPR 82
5 82.3 3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. GDPR 82
6 82.4 4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. GDPR 82
7 82.5 5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2. GDPR 82
8 82.6 6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2). GDPR 82
Item Reference Articles which affect Article 82 Link
Item Reference Sections of the Data Protection Act 2018 which affect Article 82 Link
14 s. 168 Compensation for contravention of the GDPR DPA s.168
15 s. 168 (1) In Article 82 of the GDPR (right to compensation for material or non-material damage), "non-material damage" includes distress.
(2) Subsection (3) applies where-
(a) in accordance with rules of court, proceedings under Article 82 of the GDPR are brought by a representative body on behalf of a person, and
(b) a court orders the payment of compensation.
(3) The court may make an order providing for the compensation to be paid on behalf of the person to-
(a) the representative body, or
(b) such other person as the court thinks fit.
DPA s.168
16 s. 169 Compensation for contravention of other data protection legislation DPA s.169
17 s. 169 (1) A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2) Under subsection (1)-
(a) a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b) a processor involved in processing of personal data is liable for damage caused by the processing only if the processor-
(i) has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii) has acted outside, or contrary to, the controller’s lawful instructions.
(3) A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4) A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5) In this section, "damage" includes financial loss and damage not involving financial loss, such as distress.
DPA s.169
Item Reference       GDPR Recitals which affect Article 82
18 Recital 146 (146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured. Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.
19 Recital 147 (147) Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council (13) should not prejudice the application of such specific rules.
Item Reference       Related Guidance which affects Article 82
20 ICO guidance on Contracts between Controllers and Processors [in brief] Guidance
21 ICO guidance on Contracts between Controllers and Processors [more detailed] Guidance
Disclaimer - Copyright - Privacy policy