The GDPR articles explained: Chapter 8 - Remedies, liability, and penalties

Chapter 8 of the GDPR dives into the realm of remedies, liability, and penalties, outlining the tools available to individuals in case their data rights are infringed. It comprises Articles 77 to 84 of the GDPR, covering various aspects related to enforcement, legal recourse, and penalties for violations of data protection rules within the European Union (EU).

• Enforcement: It delineates the procedures and rights related to enforcement of GDPR provisions, ensuring that individuals have effective means to protect their data privacy rights.
• Legal recourse: It establishes clear rights for individuals to seek judicial remedies and compensation if their rights are violated, thereby promoting accountability among controllers and processors.
• Penalties and fines: It defines the potential penalties, including fines, which serve as deterrents for organizations to comply with GDPR requirements, thereby incentivizing proper data protection practices.
• Representation: It acknowledges the importance of representation for data subjects, particularly through non-profit organizations, ensuring that even individuals without substantial resources can assert their rights effectively.

Article 77: Right to lodge a complaint with a supervisory authority

Article 77 of the GDPR empowers data subjects with the right to file a complaint with a supervisory authority if they believe their personal data is being processed in violation of the GDPR. This right exists independently of other legal options, such as seeking compensation through the courts.

Right to complain: Every data subject has the right to lodge a complaint with a supervisory authority.

Choice of authority: Data subjects can file a complaint with the supervisory authority in:

• Their habitual residence (where they normally live)
• Their place of work
• The place where the alleged infringement (violation) occurred

Grounds for complaint: A complaint can be filed if the data subject believes the processing of their personal data infringes the GDPR. This could include situations where:

• Personal data is collected or processed without a lawful basis.
• Data is not processed in accordance with data protection principles (e.g., data minimization).
• Their rights as a data subject (e.g., access, rectification, or erasure) are not being respected.

Example:

Let's say a company has accidentally exposed all of its data subjects' customer service call history containing their credit card details online. This could be a violation of the GDPR's security and data minimization principles. Under Article 77, the data subjects would have the right to lodge a complaint with a relevant supervisory authority.

The supervisory authority's role:

• The authority the complaint is filed with is obligated to keep the data subject informed about the progress and outcome of the complaint.
• They will also advise the data subject of their right to seek judicial remedy (take legal action) if they find the organization to be in breach, as outlined in Article 78 of the GDPR.

This right to complain plays a crucial role in holding organizations accountable for their data handling practices and empowers individuals to enforce their data protection rights under the GDPR.

Article 78: Right to an effective judicial remedy against a supervisory authority

Article 78 of the GDPR safeguards data subjects' right to take legal action against a supervisory authority's decisions in specific situations. It ensures they have options if they believe the authority's response to their data privacy concerns is unsatisfactory.

Challenge legally binding decisions: Data subjects can seek judicial review of a legally binding decision made by a supervisory authority that directly affects them. This applies to any situation, not just those related to IT.

Challenge inaction or delays: Data subjects also have the right to take legal action if the supervisory authority:

• Fails to handle their complaint altogether.
• Doesn't keep them informed about the progress or outcome of their complaint lodged under Article 77 within a three-month timeframe.

Example:

Assume a data subject files a complaint with a data protection authority because a social media platform hasn't responded to their request to delete their personal data. After several months, they still haven't received any updates from the authority. Under Article 78(2), they could seek judicial review to compel the authority to act on their complaint.

Jurisdiction and sharing information:

• Legal proceedings against a supervisory authority must be brought before the courts of the member state (EU country) where the authority is located.
• If the case involves challenging a decision made after the consistency mechanism (where supervisory authorities work together) was used, the authority must provide the court with the relevant opinion or decision from the Board.

Article 79: Right to an effective judicial remedy against a controller or processor

Article 79 of the GDPR empowers the data subject with the right to take legal action against organizations (controllers or processors) that mishandle their personal data. This right exists independently of any complaints they may file with a supervisory authority (explained in Article 77).

Right to sue for infringement: Data subjects have the right to seek judicial remedy (go to court) if they believe an organization's processing of their personal data violates the GDPR and harms their rights.

Venue options: Data subjects can choose to bring legal action in the courts of:

• The member state (EU country) where the controller or processor has an establishment (office or branch).
• The member state where the data subject has a habitual residence.

Exception: This second option (their habitual residence) only applies if the controller or processor is not a public authority acting in its official capacity.

Example: Imagine a cloud storage service provider has suffered a data breach, exposing sensitive personal data, such as passport scans and financial information of its customers. The customers believe the company failed to implement appropriate security measures to protect their data, as required by the GDPR. Under Article 79, they could sue the cloud storage provider in the courts of:

• The country where the company has its headquarters (if it has an establishment there).
• The country where they reside (assuming the company is not a government agency acting in its official capacity).

Article 80: Representation of data subjects

Article 80 of the GDPR grants the data subject the right to have someone represent them in enforcing their data privacy rights. This can be particularly helpful if they find the process daunting or lack the resources to navigate legal procedures themselves.

Right to appoint a representative: Data subjects can designate a not-for-profit body, organization, or association to act on their behalf regarding their data privacy rights under the GDPR.

Qualifications of the representative: This representative must meet specific criteria:

• Be established according to the laws of an EU member state
• Have public interest objectives
• Be actively involved in protecting data subjects' rights related to personal data

Scope of representation: The representative can assist a data subject with:

• Lodging complaints with a supervisory authority (as outlined in Article 77).
• Seeking judicial remedies against supervisory authorities or controllers or processors (as outlined in Articles 78 and 79).
• Claiming compensation for damages suffered due to a data breach (where applicable under national laws).

Optional right for organizations: EU member states can choose to grant these same rights (lodging complaints and seeking judicial remedies) to the designated organizations even without their specific mandate. This allows these organizations to act proactively in protecting the broader public's data privacy rights.

Article 81: Suspension of proceedings

Article 81 of the GDPR aims to prevent contradictory rulings and streamline legal proceedings related to data protection. It establishes a mechanism for courts in different EU member states to coordinate when dealing with similar cases involving the same data processing activity by the same controller or processor.

Duty to check for parallel proceedings: If a court in an EU member state becomes aware of potentially parallel proceedings concerning the same data processing activity (same controller or processor) ongoing in another member state's court, it has a responsibility to contact the other court to confirm the existence of such proceedings.

Suspension of proceedings: Any court, other than the court first seized (the court that started handling the case first), may decide to suspend its own proceedings related to the same data processing activity. This avoids duplication of efforts and ensures resources are focused on one central case.

Declining jurisdiction: For cases still at first instance (initial court level), courts other than the first seized can also decline jurisdiction altogether, under certain conditions:

• The first seized court has jurisdiction over the case.
• The legal system of the first seized court allows for the consolidation of cases (combining them into a single proceeding).

Article 82: Right to compensation and liability

Article 82 empowers data subjects to claim compensation for damages suffered due to an infringement of the GDPR by a controller or processor. It establishes the principle of data controller and processor liability for data breaches and other privacy violations.

Right to compensation: Anyone who experiences material or non-material damage (financial loss, emotional distress, etc.) as a result of a GDPR violation has the right to seek compensation from the responsible party.

Controller liability: The controller, the entity that determines the purpose and means of processing personal data, is primarily liable for any damages caused by processing that infringes the GDPR.

Processor liability: Processors, the entities that process data on behalf of controllers, are only liable for damages if they:

• Fail to comply with their specific obligations under the GDPR.
• Act outside or against the lawful instructions of the controller.

Exemption from liability: Both controllers and processors can be exempt from liability if they can prove they were not in any way responsible for the event that caused the damage.

Joint and several liability: Where multiple controllers or processors are involved in the same processing activity that results in a GDPR violation, they can be held jointly and severally liable for the entire damage suffered by the data subject. This ensures the data subject receives full compensation, regardless of which party was primarily responsible.

Right to contribution: If a controller or processor pays full compensation to the data subject, they have the right to claim back a portion of that compensation from other controllers or processors involved in the same processing, based on their share of responsibility for the damage.

Jurisdiction: Legal proceedings for claiming compensation must be brought before the courts of the member state where the data subject has their habitual residence (as specified in Article 79(2) of the GDPR).

Article 83: General conditions for imposing administrative fines

Article 83 of the GDPR outlines the conditions under which supervisory authorities can impose administrative fines on organizations (controllers or processors) for violating the GDPR. It emphasizes the importance of these fines being effective, proportionate, and dissuasive.

Fines for specific infringements: The article details different categories of GDPR infringements and the maximum administrative fines associated with each:

• Up to €10 million or 2% of global annual turnover (whichever is higher) for violations related to controller or processor obligations, certification bodies, or monitoring bodies.
• Up to €20 million or 4% of global annual turnover (whichever is higher) for more serious violations, like breaches of core processing principles (e.g., consent), national data protection laws under Chapter IX of the GDPR, data subject rights, international data transfers, and non-compliance with supervisory authority orders.

Factors considered for fines: Supervisory authorities have discretion when imposing fines and consider various factors, including:

• The nature, severity, and duration of the infringement.
• The number of data subjects affected and the extent of damage they suffered.
• Whether the infringement was intentional or negligent.
• The controller or processor's efforts to mitigate the damage.
• The controller or processor's compliance history, technical and organizational measures, and cooperation with the supervisory authority.
• The category of personal data involved in the infringement.
• How the infringement came to light (e.g., self-reported or discovered by the authority).
• Any previous corrective measures imposed on the controller or processor.
• Adherence to approved codes of conduct or certification mechanisms.
• Any other aggravating or mitigating factors, such as financial gain from the violation.

Maximum fine for multiple infringements: If a controller or processor commits several GDPR violations (intentionally or negligently) during the same processing activity, the total fine cannot exceed the amount for the gravest infringement.

Fines for public authorities: EU member states can decide whether and how to impose administrative fines on public authorities for GDPR violations.

Procedural safeguards: The process of imposing fines must comply with proper legal procedures, including the right to judicial review and due process.

Adapting to national law: Member states without existing administrative fine systems can adapt this article to their legal framework, ensuring the imposed penalties are still effective, proportionate, and dissuasive.

Article 84: Penalties

Article 84 focuses on additional penalties for infringements that fall outside the scope of administrative fines outlined in Article 83. It grants flexibility to EU member states to define and implement their own penalty systems for these specific cases.

Member state discretion: EU member states have the responsibility to establish additional penalties for GDPR violations beyond those covered by administrative fines under Article 83. This allows them to tailor the penalty system to their existing legal frameworks.

Focus on non-fined violations: The primary purpose is to address infringements that wouldn't necessarily trigger administrative fines (e.g., less severe violations).