GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) π
Read free book Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ» - read online or download for free at americanlibrarybooks.com
- Author: Adv. Prashant Mali
Read book online Β«GDPR Articles With Commentary & EU Case Laws by Adv. Prashant Mali (red seas under red skies txt) πΒ». Author - Adv. Prashant Mali
Art. 82 GDPR Right to compensation and liability
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).
Suitable Recitals
(146) Indemnity; (147) Jurisdiction.
COMMENTARY:
Article 82 of the Regulation confirms the above, by specifying the principle of compensation for the material or immaterial damage suffered by any person as a result of an infringement of this Regulation. The compensation may be received from the βcontrollerβ or the βprocessorβ. Paragraph 2 of this provision also specifies the events giving rise to the liability of both participants: that a processor shall be liable for its βparticipation in processingβ while the processor shall be only liable for failure to perform the obligations specifically imposed by the Regulation or where it has acted outside or contrary to lawful instructions of the controller.
Exemption from the Directive is applicable in favour of the two actors if proven that the event, which caused the damage is not attributable to it. The real novelty of this provision involves the establishment of a joint liability of the controller(s) and/or the processor(s) involved in the same processing under the conditions defined by the provision. To this end, either the controllers or the processors, or the controller or the processor involved in the same processing must be held liable for damage caused by the processing pursuant to paragraphs 2 and 3. In this case, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
Court proceedings for exercising the right to receive compensation shall be brought before the courts designated competent under the law of the Member State referred to in Article 79 (2). Article 23 of the Directive provided for the right to receive from the controller compensation for the damage suffered as a result of an unlawful processing operation or of any act incompatible with said Directive. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (fault of the data subject, force majeure, etc.).
This provision implied that a legal remedy is available under national legislation (recital 55).
Art. 83 GDPR General conditions for imposing administrative fines
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to
(h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller or processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
any relevant previous infringements by the controller or processor;
the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39and 42 and 43;
the obligations of the certification body pursuant to Articles 42 and 43;
the obligations of the monitoring body pursuant to Article 41(4).
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
the data subjectsβ rights pursuant to Articles 12 to 22;
the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
any obligations pursuant to Member State law adopted under Chapter IX;
non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4
% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall
notify to the Commission the provisions of their laws, which they adopt pursuant to this paragraph by 25th May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
Suitable Recitals
(148) Penalties; (149) Penalties for infringements of national rules; (150) Administrative fines; (151) Administrative fines in Denmark and Estonia; (152) Power of sanction of the Member States.
COMMENTARY:
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 and presented below:
These fines must be in all cases effective, proportionate and dissuasive.
Depending on the circumstances of each individual case, the fines shall be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58 (2) that may be imposed by the supervisory authority.
When deciding on the amount of the administrative fine in each individual case, the authority must give due regard to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller or processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller or processor taking into account technical and organizational measures implemented by them pursuant to Articles 25 (protection by design and protection by default) and 32 (security of processing);
any relevant previous infringements by the controller or processor;
the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
Where measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures.
Regard should also be given to the adherence to approved codes of conduct or approved certification mechanisms;
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
As to the amounts, a gradual system exists depending on the severity attributed to the infringement:
Administrative fines up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (paragraph 4):
the obligations of the controller and the processor:
relating to consent of children in connection with information society services (Art. 8);
relating to processing not requiring identification (Art. 11);
relating to data protection by design and data protection by default (Art. 25);
rules specific to the joint controllers (Art. 26);
relating to representatives of the controller not established in the Union (Art. 27);
imposed in the relationship between the controller and the processor (Art. 28);
relating to processing under the authority of the controller or processor (Art. 29);
relating to keeping a register of all categories of processing activities (Art. 30);
concerning the cooperation with the supervisory authority (Art. 31);
regarding to
Comments (0)