Article 79
Right to an effective judicial remedy against a controller or processor
(55) Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
Regulation
Art. 79 1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation. 2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. |
Directive
Art. 22 Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question. |
Germany
|
Hungary
Judicial remedy § 22 Data Protection Act (1) In the event of any infringement of his rights, the data subject, and in the cases referred to in Section 21, the data recipient may file for court action against the controller. The court shall hear such cases in priority proceedings. (2) The burden of proof to show compliance with the law lies with the data controller. In the cases under Subsections (5) and (6) of Section 21, the burden of proof concerning the lawfulness of receiving data lies with the data recipient. [...] (4) Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such actions. The Authority may intervene in the action on the data subject’s behalf. (5) When the court’s decision is in favor of the plaintiff, the court shall order the controller to provide the information, to rectify, block or erase the data in question, to annul the decision adopted by means of automated data-processing systems, to honor the data subject’s objection, or to disclose the data requested by the data recipient referred to in Section 21. (6) If the court rejects the petition filed by the data recipient in the cases defined in Section 21, the controller shall be required to erase the data subject’s personal data within three days of delivery of the court ruling. The controller shall erase the data even if the data recipient does not file for court action within the time limit referred to in Subsection (5) or (6) of Section 21. (7) The court may order publication of its decision, indicating the identification data of the controller as well, where this is deemed necessary for reasons of data protection or in connection with the rights of large numbers of data subjects under protection by this Act. |