There is no recital in the Regulation related to article 82.
Show the recitals of the Directive related to article 82 keyboard_arrow_down
Hide the recitals of the Directive related to article 82 keyboard_arrow_up
Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;
The GDPR
Article 82 of the Regulation confirms the above, by specifying the principle of compensation for the material or immaterial damage suffered by any person as a result of an infringement of this Regulation (paragraph 1). The compensation may be received from the “controller” or the “processor”.
Paragraph 2 of this provision also specifies the events giving rise to the liability of both participants: that a processor shall be liable for its “participation in processing” while the processor shall be only liable for failure to perform the obligations specifically imposed by the Regulation or where it has acted outside or contrary to lawful instructions of the controller.
Exemption from the Directive is applicable in favour of the two actors if proven that the event which caused the damage is not attributable to it.
The real novelty of this provision involves the establishment of a joint liability of the controller(s) and/or the processor(s) involved in the same processing under the conditions defined by the provision. To this end, either the controllers or the processors, or the controller or the processor involved in the same processing must be held liable for damage caused by the processing pursuant to paragraphs 2 and 3. In this case, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject (paragraph 4). Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2 (paragraph 5).
Court proceedings for exercising the right to receive compensation shall be brought before the courts designated competent under the law of the Member State referred to in Article 79 (2) (paragraph 6).
The Directive
Article 23 of the Directive provided for the right to receive from the controller compensation for the damage suffered as a result of an unlawful processing operation or of any act incompatible with said Directive. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (fault of the data subject, force majeure, etc.).
This provision implied that a legal remedy is available under national legislation (recital 55).
Potential issues
The first difficulty will be to determine the scope of the requirement of “participation” in the same processing. It seems that the provision considers that there could be a controller who does not participate in the processing (paragraph 2) without defining the scope of these terms. If so, it would be appropriate to admit that the qualification of a controller for a specific processing is not sufficient to give rise to liability for non-compliance.
But what do these conditions for “participation” refer to? The explanation for the concept is particularly unclear: whether the victim is confronted with joint controllers and they are bound by the solidarity rule or the controller is potentially responsible for infringement of the protection rules in the performance of the processing.
The concept is also used to define the liability of potential processors held jointly with one or more controllers (see paragraph 4). In the latter case, however, the participation can be conceived only if the processor acts on the controller’s instruction.
The other difficulty relates to the definition of joint liability. It seems that two conditions must be met: (i) the controllers and/or the processors shall be involved in the same processing and (ii) the violation of specific obligations shall be cause damage suffered by the claimant. However, it seems to be that responsibility for only part of the overall damage shall be sufficient for liability for the entire damage suffered by the claimant. The definition of joint liability seems to be very wide and, on reflection, very severe with respect to the processors who are not liable for the compliance, do not have the same obligations as the controller and who could be required to remedy part of the damages caused by faults not attributable to their service. Not surprisingly, paragraph (5) allows a controller or processor who has had to pay full compensation to a claimant to recoup that part of the damages actually caused by other controllers or processors involved in the joint processing.
Finally, it should be noted that the text seems to exclude possible liability of any possible processors processing data on behalf of the main processor. These processors of the processor appear exempt from the joint liability rule. Even more amazingly, the text only refers to joint liability of one controller with one processor while in practice, several controllers and processors can participate in the same processing.
European Union
CJEU caselaw
C-40/17 (29 July 2019) - Fashion ID
1. Articles 22 to 24 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.
2. The operator of a website, such as Fashion ID GmbH & Co. KG, that embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor can be considered to be a controller, within the meaning of Article 2(d) of Directive 95/46. That liability is, however, limited to the operation or set of operations involving the processing of personal data in respect of which it actually determines the purposes and means, that is to say, the collection and disclosure by transmission of the data at issue.
3. In a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, it is necessary that that operator and that provider each pursue a legitimate interest, within the meaning of Article 7(f) of Directive 95/46, through those processing operations in order for those operations to be justified in respect of each of them.
4. Article 2(h) and Article 7(a) of Directive 95/46 must be interpreted as meaning that, in a situation such as that at issue in the main proceedings, in which the operator of a website embeds on that website a social plugin causing the browser of a visitor to that website to request content from the provider of that plugin and, to that end, to transmit to that provider personal data of the visitor, the consent referred to in those provisions must be obtained by that operator only with regard to the operation or set of operations involving the processing of personal data in respect of which that operator determines the purposes and means. In addition, Article 10 of that directive must be interpreted as meaning that, in such a situation, the duty to inform laid down in that provision is incumbent also on that operator, but the information that the latter must provide to the data subject need relate only to the operation or set of operations involving the processing of personal data in respect of which that operator actually determines the purposes and means.
Opinion of Advocate general
Judgement of the court
C-300/21 (4 May 2023) - Österreichische Post
1. Article 82(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that the mere infringement of the provisions of that regulation is not sufficient to confer a right to compensation.
2. Article 82(1) of Regulation 2016/679
must be interpreted as precluding a national rule or practice which makes compensation for non-material damage, within the meaning of that provision, subject to the condition that the damage suffered by the data subject has reached a certain degree of seriousness.
3. Article 82 of Regulation 2016/679
must be interpreted as meaning that for the purposes of determining the amount of damages payable under the right to compensation enshrined in that article, national courts must apply the domestic rules of each Member State relating to the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are complied with.
Decision of the Court
Opinion of the advocate general
Retour au sommaire
Retour au sommaire
