Artikkel 82
Right to compensation and liability

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering

Det finnes ingen fortaletekst i forordningen relatert til art. 82.

Vis direktivets fortaletekst relatert til art. 82 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 82 keyboard_arrow_up

Whereas, if the controller fails to respect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage which a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private of public law, who fails to comply with the national measures taken under this Directive;

GDPR

Article 82 of the Regulation confirms the above, by specifying the principle of compensation for the material or immaterial damage suffered by any person as a result of an infringement of this Regulation (paragraph 1). The compensation may be received from the “controller” or the “processor”.

Paragraph 2 of this provision also specifies the events giving rise to the liability of both participants: that a processor shall be liable for its “participation in processing” while the processor shall be only liable for failure to perform the obligations specifically imposed by the Regulation or where it has acted outside or contrary to lawful instructions of the controller.

Exemption from the Directive is applicable in favour of the two actors if proven that the event which caused the damage is not attributable to it.

The real novelty of this provision involves the establishment of a joint liability of the controller(s) and/or the processor(s) involved in the same processing under the conditions defined by the provision. To this end, either the controllers or the processors, or the controller or the processor involved in the same processing must be held liable for damage caused by the processing pursuant to paragraphs 2 and 3. In this case, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject (paragraph 4). Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2 (paragraph 5).

Court proceedings for exercising the right to receive compensation shall be brought before the courts designated competent under the law of the Member State referred to in Article 79 (2) (paragraph 6).

Direktivet

Article 23 of the Directive provided for the right to receive from the controller compensation for the damage suffered as a result of an unlawful processing operation or of any act incompatible with said Directive. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage (fault of the data subject, force majeure, etc.).

This provision implied that a legal remedy is available under national legislation (recital 55).

Utfordringer

The first difficulty will be to determine the scope of the requirement of “participation” in the same processing. It seems that the provision considers that there could be a controller who does not participate in the processing (paragraph 2) without defining the scope of these terms. If so, it would be appropriate to admit that the qualification of a controller for a specific processing is not sufficient to give rise to liability for non-compliance.

But what do these conditions for “participation” refer to? The explanation for the concept is particularly unclear: whether the victim is confronted with joint controllers and they are bound by the solidarity rule or the controller is potentially responsible for infringement of the protection rules in the performance of the processing.

The concept is also used to define the liability of potential processors held jointly with one or more controllers (see paragraph 4). In the latter case, however, the participation can be conceived only if the processor acts on the controller’s instruction.

The other difficulty relates to the definition of joint liability. It seems that two conditions must be met: (i) the controllers and/or the processors shall be involved in the same processing and (ii) the violation of specific obligations shall be cause damage suffered by the claimant. However, it seems to be that responsibility for only part of the overall damage shall be sufficient for liability for the entire damage suffered by the claimant. The definition of joint liability seems to be very wide and, on reflection, very severe with respect to the processors who are not liable for the compliance, do not have the same obligations as the controller and who could be required to remedy part of the damages caused by faults not attributable to their service.  Not surprisingly, paragraph (5) allows a controller or processor who has had to pay full compensation to a claimant to recoup that part of the damages actually caused by other controllers or processors involved in the joint processing.

Finally, it should be noted that the text seems to exclude  possible liability of any possible processors processing data on behalf of the main processor. These processors of the processor  appear exempt from the joint liability rule.  Even more amazingly, the text only refers to joint liability of one controller with one processor while in practice, several controllers and processors can participate in the same processing.

Forordning
1e 2e

Art. 82

1.   Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2.   Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3.   A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4.   Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5.   Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6.   Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

1. forslag close

Art. 77

1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.

2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.

3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.

2. forslag close

Art. 77

1. Any person who has suffered material or immaterial damage as a result of a processing which is not in compliance with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.

2. Any controller (…) involved in the processing shall be liable for the damage caused by the processing which is not in compliance with this Regulation. A processor shall be liable for (…) the damage caused by the processing only where it has not complied with obligations of this Regulation specifically directed to processors or acted outside or contrary to lawful instructions of the controller.

3. A controller or the processor shall be exempted from liability in accordance with paragraph 2, (…) if (…) it proves that it is not in any way responsible (…) , for the event giving rise to the damage.

4. Where more than one controller or processor or a controller and a processor are involved in the same processing and, where they are, in accordance with paragraphs 2 and 3, responsible for any damage caused by the processing, (…) each controller or processor shall be held (…) liable for the entire damage.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under national law of the Member State referred to in paragraph 2 of Article 75.

Direktiv close

Art. 23

1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.

2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.

 

 

Art. 82

Rett til erstatning og erstatningsansvar

1. Enhver person som har lidd materiell eller ikke-materiell skade som følge av en overtredelse av denne forordning, skal ha rett til å motta erstatning fra den behandlingsansvarlige eller databehandleren for den forvoldte skaden.

2. Enhver behandlingsansvarlig som vært involvert i behandlingen, skal være ansvarlig for skaden forårsaket av behandling som er i strid med denne forordning. En databehandler skal være ansvarlig for en skade forårsaket av behandling bare dersom vedkommende ikke har oppfylt forpliktelsene i denne forordning som særlig er rettet mot databehandlere, eller dersom vedkommende har opptrådt utenfor eller i strid med databehandlerens lovlige instrukser.

3. En behandlingsansvarlig eller databehandler skal fritas for erstatningsansvar i henhold til nr. 2 dersom vedkommende godtgjør at vedkommende på ingen måte er ansvarlig for hendelsen som førte til skaden.

4. Dersom flere enn én behandlingsansvarlig eller databehandler eller både en behandlingsansvarlig og en databehandler er involvert i samme behandling, og dersom de i henhold til nr. 2 og 3 er ansvarlige for eventuelle skader som forårsakes av behandlingen, skal hver behandlingsansvarlig eller databehandles holdes ansvarlig for hele skaden for å sikre at den registrerte mottar effektiv erstatning.

5. Dersom en behandlingsansvarlig eller databehandler i samsvar med nr. 4 har betalt full erstatning for den forvoldte skaden, skal nevnte behandlingsansvarlig eller databehandler fra de andre behandlingsansvarlige eller databehandlere som har vært involvert i samme behandling, ha rett til å kreve tilbake den delen av erstatningen som svarer til deres del av ansvaret for skaden, i samsvar med vilkårene fastsatt i nr. 2.

6. Retterganger med henblikk på utøvelse av retten til å motta erstatning, skal bringes inn for domstolene som har kompetanse i henhold til nasjonal rett i medlemsstaten nevnt i artikkel 79 nr. 2.

Gamle loven close

Pol. § 49 Erstatning

Den behandlingsansvarlige skal erstatte skade som er oppstått som følge av at personopplysninger er behandlet i strid med bestemmelser i eller i medhold av loven, med mindre det godtgjøres at skaden ikke skyldes feil eller forsømmelse på den behandlingsansvarliges side.

Behandlingsansvarlige som formidler kredittopplysninger og som har meddelt opplysninger som viser seg uriktige eller åpenbart misvisende, skal erstatte skade som er oppstått som følge av den feilaktige meddelelsen, uten hensyn til om skaden skyldes feil eller forsømmelse på den behandlingsansvarliges side.

Erstatningen skal svare til det økonomiske tapet som den skadelidte er påført som følge av den ulovlige behandlingen. Den behandlingsansvarlige kan også pålegges å betale slik erstatning for skade av ikke-økonomisk art (oppreisning) som synes rimelig.

 

 

close