Chapter VIII: Remedies, Liability, and Sanctions
Article 77: Right to lodge a complaint with a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data
subject shall have the right to lodge a complaint with a supervisory authority,
in particular in the Member State of his or her habitual residence, place of
work or place of the alleged infringement if the data subject considers that the
processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall
inform the complainant on the progress and the outcome of the complaint
including the possibility of a judicial remedy pursuant to Article 78.
Article 78: Right to an effective judicial remedy against a supervisory
authority
1. Without prejudice to any other administrative or non-judicial remedy, each
natural or legal person shall have the right to an effective judicial remedy
against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each
data subject shall have the right to a an effective judicial remedy where the
supervisory authority which is competent pursuant to Articles 55 and 56 does not
handle a complaint or does not inform the data subject within three months on
the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the
courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority
which was preceded by an opinion or a decision of the Board in the consistency
mechanism, the supervisory authority shall forward that opinion or decision to
the court.
Article 79: Right to an effective judicial remedy against a controller or
processor
1. Without prejudice to any available administrative or non-judicial remedy,
including the right to lodge a complaint with a supervisory authority pursuant
to Article 77, each data subject shall have the right to an effective judicial
remedy where he or she considers that his or her rights under this Regulation
have been infringed as a result of the processing of his or her personal data in
non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the
courts of the Member State where the controller or processor has an
establishment. Alternatively, such proceedings may be brought before the courts
of the Member State where the data subject has his or her habitual residence,
unless the controller or processor is a public authority of a Member State
acting in the exercise of its public powers.
Article 80: Representation of data subjects
1. The data subject shall have the right to mandate a not-for-profit body,
organisation or association which has been properly constituted in accordance
with the law of a Member State, has statutory objectives which are in the public
interest, and is active in the field of the protection of data subjects' rights
and freedoms with regard to the protection of their personal data to lodge the
complaint on his or her behalf, to exercise the rights referred to in Articles
77, 78 and 79 on his or her behalf, and to exercise the right to receive
compensation referred to in Article 82 on his or her behalf
where provided for by Member State law.
2. Member States may provide that any body, organisation or association referred
to in paragraph 1 of this Article, in dependently of a data subject's mandate,
has the right to lodge, in that Member State, a complaint with the supervisory
authority which is competent pursuant to Article 77 and to exercise the rights
referred to in Articles 78 and 79 if it considers that the rights of a data
subject under this Regulation have been infringed as a result of the processing.
Article
81:Suspension of proceedings
1. Where a competent court of a Member State has information on proceedings,
concerning the same subject matter as regards processing by the same controller
or processor, that are pending in a court in another Member State, it shall
contact that court in the other Member State to confirm the existence of such
proceedings.
2. Where proceedings concerning the same subject matter as regards processing of
the same controller or processor are pending in a court in another Member State,
any competent court other than the court first seized may suspend its
proceedings.
3. Where those proceedings are pending at first instance, any court other than
the court first seized may also, on the application of one of the parties,
decline jurisdiction if the court first seized has jurisdiction over the actions
in question and its law permits the consolidation thereof.
Article 82: Right to
compensation and liability
1. Any person who has suffered material or non-material damage as a result of an
infringement of this Regulation shall have the right to receive compensation
from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused
by processing which infringes this Regulation. A processor shall be liable for
the damage caused by processing only where it has not complied with obligations
of this Regulation specifically directed to processors or where it has acted
outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if
it proves that it is not in any way responsible for the event giving rise to the
damage.
4. Where more than one controller or processor, or both a controller and a
processor, are involved in the same processing and where they are, under
paragraphs 2 and 3, responsible for any damage caused by processing, each
controller or processor shall be held liable for the entire damage in order to
ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid
full compensation for the damage suffered, that controller or processor shall be
entitled to claim back from the other controllers or processors involved in the
same processing that part of the compensation corresponding to their part of
responsibility for the damage, in accordance with the conditions set out in
paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be
brought before the courts competent under the law of the Member State referred
to in Article 79(2).
Article 83: General conditions for imposing administrative fines
1. Each supervisory authority shall ensure that the imposition of administrative
fines pursuant to this Article in respect of infringements of this Regulation
referred to in paragraphs 4, 5 and 6 shall in each individual case be effective,
proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual
case, be imposed in addition to, or instead of, measures referred to in points
(a) to (h) and (j) of Article 58(2). When deciding whether to impose an
administrative fine and deciding on the amount of the administrative fine in
each individual case due regard shall be given to the following:
(a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
3. If a controller or processor intentionally or negligently, for the same or
linked processing operations, infringes several provisions of this Regulation,
the total amount of the administrative fine shall not exceed the amount
specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an
undertaking, up to 2 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data f lows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in
Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject
to administrative fines up to 20 000 000 EUR, or in the case of an undertaking,
up to 4 % of the total worldwide annual turnover of the preceding financial
year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities
pursuant to Article 58(2), each Member State may lay down the rules on whether
and to what extent administrative fines may be imposed on public authorities and
bodies established in that Member State.
8. The exercise by the supervisory authority of its powers under this Article
shall be subject to appropriate procedural safeguards in accordance with Union
and Member State law, including effective judicial remedy and due process.
9. Where the legal system of the Member State does not provide for
administrative fines, this Article may be applied in such a manner that the fine
is initiated by the competent supervisory authority and imposed by competent
national courts, while ensuring that those legal remedies are effective and have
an equivalent effect to the administrative fines imposed by supervisory
authorities. In any event, the fines imposed shall be effective, proportionate
and dissuasive. Those Member States shall notify to the Commission the
provisions of their laws which they adopt pursuant to this paragraph by 25 May
2018 and, without delay, any subsequent amendment law or amendment affecting
them.
Article 84: Penalties
1. Member States shall lay down the rules on other penalties applicable to
infringements of this Regulation in particular for infringements which are not
subject to administrative fines pursuant to Article 83, and shall take all
measures necessary to ensure that they are implemented. Such penalties shall be
effective, proportionate and dissuasive.
2. Each Member State shall notify to the Commission the provisions of its law
which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any
subsequent amendment affecting them.