The new EU General Data Protection Regulation (‘GDPR Regulation’) is due to come into effect on 25 May 2018. The new GDPR Regulation will provide a new way of thinking about data protection in the EU and it is aimed at increasing level of protection for individuals whose personal data are processed. The new rules are a big steps towards strengthening protection of individuals in the digital age.
The most important remedies for individuals provided by the GDPR Regulation are:
- a right to being compensated for a damage suffered, and
- a right to obtain an effective judicial injunction.
As regards
the right to compensation for the damage suffered by the individuals, the GDPR Regulation states in Art 82 that any person who has suffered material or non-material
damage as a result of an infringement of GDPR by the controller or processor of his/her personal data, will have the right to seek compensation from the controller or processor before the court competent under the law of each Member State.
A controller or processor will be free from liability only if they prove that they are not in any way responsible for the event giving rise to the damage. A controller’s and processor’s liability for the damage is joint and several.
To prepare for GDPR also in respect to claims and complaints that might arise in the future, controllers and processors should ascertain that their network and information security are able to resist any accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data. Both controller and processor are also obliged to ensure that all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject.
Seeking damages under GDPR might be easier for individuals than on a general basis as:
- such entitlement will be provided directly by legislation of each Member State, and
- the controller or processor should be exempt from liability only if they proves that they are not in any way responsible for the damage.
For proceedings against a controller or processor, each individual who suffered a damage will have a right to choose whether he/she wants to bring the action before the courts of the Member States where the controller or processor has an establishment or where he/she as the data subject resides.
As regards
the right to an effective judicial injunction against a controller or processor, the GDPR Regulation states in Art 79 that any person that considers his/her rights have been infringed as a result of processing his/her personal data or where the supervisory authority does not act on a lodged complaint or partially or wholly rejects or dismisses a complaint has a right to start judicial proceedings against a controller or a processor.
In such a case, the individual which is a data subject will not be obliged to prove that he/she suffered a material or non-material damage. Any substantial infringement of his/her rights while processing their personal data will be sufficient to start legal action against the controller or processor and demand any actions which are necessary to protect the rights of the data subject (e.g. request to refrain from violating individual’s right).
The complaint should be lodged before the courts of the Member State where the controller or processor has an establishment (not only a seat) or the data subject has his/her habitual residence.
Currently, the scale of the collection and sharing of personal data has increased significantly. Rapid technological developments and globalization age have brought new challenges for the protection of personal data. New technologies allow to make wide use of personal data of the individuals on an unprecedented scale in various forms. The GDPR, which gives individuals new tools to protect their rights, should be considered positively as driving to the harmonization of the protection of fundamental rights and freedoms of individuals and to ensure the free flow of personal data between the Member States.