Dealing with a personal data breach

Articles 77 to 82 of the GDPR detail the remedies that are available to an individual for a personal data breach.

An individual whose personal data has been processed in a way that infringes his or her rights under the GDPR is entitled to lodge a complaint with the ICO. If unhappy with the outcome, he or she has the right to challenge the ICO’s decision in the courts. In addition, or instead of, pursuing a complaint to the ICO, the data subject can bring a legal claim against a controller or processor.

Any person who has suffered material or non-material damage as a result of an infringement of GDPR has the right to receive compensation from the controller or processor for the damage suffered.

The data controller is primarily liable for damage caused by processing infringements; the processor will only be liable if it has not complied with its specific duties under the GDPR or if it has acted outside or contrary to the controller’s lawful instructions. If they are jointly responsible, they are both liable for the damage to make sure that the individual is compensated.

The controller or processor is exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.