The new EU General Data Protection Regulation (GDPR) is due to come into effect on 25 May 2018. The GDPR will provide a new concepts on data protection in the EU and it is aimed at increasing level of protection for individuals whose personal data are processed. The new rules are a big steps towards strengthening protection of individuals in the digital era.
The most important remedies for individuals provided by the GDPR are:
- the right of the individuals to be compensated for a damage suffered, and
- the right of the individuals to obtain an effective judicial injunction.
The right to compensation for the damage suffered by the individuals is stated in the Article 82 of GDPR, which provides that any person who has suffered material or non-material damage as a result of an infringement of GDPR by the controller or processor of his/her personal data, will have the right to seek compensation from the controller or processor before the court competent under the law of each Member State.
A controller or processor will be free from liability only if they prove that they are not in any way responsible for the event giving rise to the damage. A controller’s and processor’s liability for the damage is joint and several.
With respect to the right to an effective judicial injunction against a controller or processor, the GDPR states in Article 79 that any person that considers his/her rights have been infringed as a result of processing his/her personal data or where the supervisory authority does not act on a lodged complaint or partially or wholly rejects or dismisses a complaint has a right to start judicial proceedings against a controller or a processor.
In such a case, the individual which is a data subject will not be obliged to prove that he/she suffered a material or non-material damage. Any substantial infringement of his/her rights while processing their personal data will be sufficient to start legal action against the controller or processor and demand any actions which are necessary to protect the rights of the data subject (e.g. request to refrain from violating individual’s right).
The complaint should be lodged before the courts of the Member State where the controller or processor has an establishment (not only a seat) or the data subject has his/her habitual residence.
The GDPR should be characterized as positively driving to the harmonization of the protection of fundamental rights and freedoms of individuals and to ensure the free flow of personal data between the Member States.