A closer look to damages under the GDPR

The General Data Protection Regulation, GDPR (Regulation (EU) 2016/679) started to apply on May 25, 2018. See here. The GDPR sets forth the data subject’s right to compensation and liability for the damages caused by processing infringing the GDPR. Pursuant to Article 82, GDPR: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.[1]

Let’s see in some details.


Type of damages

Liable subjects

Allocation of liabilities between controllers and processors

Swift of burden of proof

Joint liability

Claims for contributions

Certification mechanism to attest liability


Type of damages. The damages resulting of the GDPR’s infringement can be material or non-material. Examples of both (varying likelihood and severity) are given by Whereas 77 GDPR: processing may give rise to discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage; data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; processing could reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures, performance at work, economic situation, health, personal preferences or interests, location or movements; or even reveal data of vulnerable natural persons, in particular of children.

Liable subjects. Article 82, GDPR, expressly states that controllers or processors are the ones that shall compensate data subjects for the damages suffered by a processing that infringed the GDPR.

According to the text of the GDPR, it may be possible to foresee an exclusive responsibility of the data controller and processor even if the damages were caused by the Data Protection Officer (DPO) or by other subjects authorized to the processing. However, applicable national provisions may set forth a joint liability, for example, of the employer and the employee for the damages caused by the latter.

The position of Article 27 representative in the Union of non-established controllers and processors is unclear. 

Article 27 (5) specifically says that the “designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or processor themselves.”  and Whereas 80 provides “The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.”

Allocation of liabilities between controllers and processors. According to the principle set forth by Whereas 79, GDPR, it is important to clearly allocate the responsibilities under the GDPR, including for those cases “where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller”.

To this aim, Article 82, paragraph 2, GDPR, provides that the controller involved in processing shall be liable for the damages caused by processing in violation of the GDPR, while the processor “shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller”.

Swift of burden of proof. The Regulation seems to reverse the burden of proof: once a claim is made, the controller or processor must prove their lack of responsibility. According to Article 82, paragraph 3, a controller or processor shall be exempt from liability “if it proves that it is not in any way responsible” for the damaging event.

Joint liability. Controller and processor are held jointly liable by the GDPR for damages caused by the processing. “Each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject”. The more the functions of the processor are detailed, the easier it is to demonstrate that the controller is not responsible.

Claims for contributions. Article 82, paragraph 4, GDPR, explains that even though controller and processor are held jointly liable against the data subject, the amount of damages due by each one varies depending on the grade of culpability.

A controller or processor that paid full damage compensation shall be entitled to claim back from the other controllers or processors involved “that part of the compensation corresponding to their part of responsibility for the damage”. The responsibility will vary depending on the amount and type of information that the controller gave to the processor and their compliance by the latter, as well as on the performance of the monitoring activities to be carried out by the controller.

Certification mechanism to attest liability. There are several provisions that encourage the adoption of codes of conduct, also to help verify the type and amount of the controller and processor’s duties. For example, according to Whereas 77, GDPR, guidance on the demonstration of compliance by the controller or the processor, especially with regard to the identification of the risks related to the processing could be provided by means of approved codes of conduct. Whereas 98 states that “codes of conduct could calibrate the obligations of controllers and processors”. Article 42, GDPR, highlights how “data protection certification mechanisms” could be useful to demonstrate compliance with the GDPR of processing operations by controllers and processors. However, it reminds that a certification pursuant to Article 42, GDPR, “does not reduce the responsibility of the controller or the processor for compliance with this Regulation”.


For more information on how the GDPR could influence your organization, contact Francesca Giannoni-Crystal and Federica Romanelli


[1] As it has been correctly pointed out Article 82 does not say “A data subject who has suffered material or non-material damage …”. It says: “Any person who has suffered material or non-material damage …” so that data subjects are not the only possible plaintiffs here. On the other hand, Article 79 (Right to an effective judicial remedy against a controller or processor) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject  shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.”  See Prof. Pizzetti’s LinkedIn post of November 27, 2018 https://www.linkedin.com/feed/update/urn:li:activity:6473302040696094720)

Follow us on& Like us on