Article 77*
Article 77 – Right to compensation and liability
Commission Proposal
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage. |
EDRi’s proposed amendment
1. Any person who has suffered monetary damage or non-monetary damages such as distress or time loss as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. In the case of a group of undertakings, the entire group shall be liable as a single economic entity. 3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage. |
Justification
This amendment clarifies that compensation can also be awarded for non-monetary damages such as distress or time loss, as these can be more important for the data subject.
Holding the entire group liable for a breach committed by a subsidiary is suggested in line with the EDPS opinion, drawing inspiration from competition law.