A fundamental principle under General Data Protection Regulation (EU) 2016/679 is the protection of natural persons with regard to the processing of their personal data and the consequent need, for each legal system, to develop reaction mechanisms against conducts that could damage the individuals.

Data processing is, per se, an activity that exposes others (the data subjects) to a “risk”. This “risk” is legally accepted by the legal system, but the economic and/or social utility of the data processing must be balanced with a system of safeguards aimed at reducing those risks where possible and compensate damages when the “risk” becomes a concrete prejudice.

What are the main risks (and, therefore, the possible main damages) associated with data processing? The answer lies in Recital 75 of the GDPR:

the risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects”.

Codes of Conduct and of Certification.

Article 82 of the GDPR (“Right to compensation and liability”), makes clear the importance of regulating the liabilities of the controller and the processor by adopting codes of conduct and certification.

As regards the Codes, Recital 98 states as follows: “Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons”.

In Recital 100 it is stated: “In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services”.

It must be noted that the adoption of codes of conduct or certification is not sufficient for the purposes of exemption from liability. In fact, Article 42, paragraph 4, states: “a certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation”.

Concurrently, however, the same Regulation sets forth: “Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller” (Article 24, paragraph 3).

Therefore, even though adherence to codes of conduct and certification is not sufficient for the purposes of exemption from liability, they are useful and expressly recommended tools for ensuring compliance with the GDPR.

Damages and liability: Article 82 of the Regulation

■       Pursuant to Article 82 of Regulation (EU) 2016/679: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”.

The first paragraph of Article 82 affirms, therefore, the right of the data subject (the damaged person) to obtain damages, both material and non-material. This right arises at the time when a conduct, whether active or omissive, has been put in place that constitutes an infringement of a prescription of the Regulation.

Contrary to the provision of Article 15 of the Italian Privacy Code (“Any person who damages others as a result of the processing of personal data is liable for compensation pursuant to Article 2050 of the Italian Civil Code”), it should be noted that the perspective of the Regulation is focused on the “the damaged person” (and not on the person who caused the damage).

However, the most relevant point is the identification of the person obliged to pay compensation.

The Italian Privacy Code identifies the person liable for the damage as “any person”; the Regulation indicates the controller and the processor.

The foregoing leads to a first issue that must certainly be solved in the application stage, i.e. the possibility, in the event of an infringement of the Regulation, of attributing the liability and consequent compensation obligations to a person “different” from those indicated in the first paragraph of Article 82.

While awaiting for clarifications from the Data Protection Authority, having regard to the general rules set out in our Civil Code, pursuant to Article 2043 of the Italian Civil Code (Compensation for damage arising from a wrongful act), pursuant to Article 2043 of the Italian Civil Code (Liability for the exercise of hazardous activities), pursuant to Article 2055 of the Italian Civil Code (Joint and several liability), it can reasonably and already be ruled out that any persons “different” from those indicated in Article 82 of the Regulation can consider themselves exempt from liability should they cause any damage to the data subjects.

       Further on, Article 82 of the Regulation governs the issue of the allocation of the responsibilities in line with the provisions of Recital 79: “The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller”.

And in applying the foregoing, the second paragraph of Article 82 of the Regulation states: “Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller”.

The controller, therefore, is liable for the damage caused by unlawful processing; the processor is liable for breach of the duties imposed upon it or if it has disregarded the controller’s instructions.

It has been observed that the provision in question seems to outline apparently very restrictive rules for the cases of liability bearing on the Controller and the Processor. That is not so.

In fact, the aforementioned provision must be supplemented and, therefore, integrated taking account:

(i)      as regards the controller, Recital 146: “This (the reference to infringements of the Regulation, ed. note) is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation”;

(ii)      as regards the Processor, Article 28, paragraph 3: “With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.”

Therefore the controller will be liable not only in the event of an infringement of the Regulation, but also in the event of non-compliance with the other provisions laid down in the implementing rules, the delegated acts, the implementing acts of the Regulation, other provisions of Member States, where applicable.

As regards the processor, if the rule seems to limit its liability solely to active or omissive actions with respect to the prescriptions of the Regulation and/or the controller’s instructions directives/indications, the processor in fact bears a duty of a general nature; it is also tasked with notifying the controller in the case of incorrectly regulated conduct. Therefore, it could possibly be subject to liability (in this case, jointly with the controller) also (only) for “omitted” information.

       Pursuant to paragraph 3 of Article 82: “A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage”.

The rule therefore identifies the conditions under which the controller or processor is exempt from liability. They should prove:

  1. that they are not responsible for the event giving rise to the damage and, therefore, that they have no involvement in the source of the damage;
  2. that they took all appropriate measures for avoiding the damage.

Therefore, there is a reversal of the burden of proof that enters into a presumption of guilt. The “defendants” must prove that they are “innocent”, in other words that they took all appropriate measures for avoiding the damage.

       Pursuant to paragraph 4 of Article 82 “Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject”.

The rule therefore governs the joint and several liability of the controller and the processor to pay compensation for the damage to the data subject.

Worthy of note is the reference to the “involvement” in the same processing.

By this expression, the Regulation intends to refer to any form of participation, whether active or passive, and taking into account the obligations bearing on each party in the processing that caused the damage.

Therefore, considering the provision referred to in paragraph 3 of Article 82 (examined above), it becomes imperative to define in detail, in  privacy policies, the “instructions” for which the controller is responsible and the contractual provisions governing the controller’s contractual duties (obligations).

       Pursuant to paragraph 5 of Article 82 “Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

The rule therefore governs the financial consequences of the damage in the internal relations. Therefore, there is no joint and several liability but rather pro rata liability.

The concrete issue is that of the “calculation criteria” of the degree/extent of the liability between the various responsible persons.

A guideline for solving the aforementioned issue will certainly be verification of the compliance, by each of the figures involved, with the duties bearing expressly on each of them by law.

The importance of adopting valid Codes of Conduct is confirmed in this case as well.