The General Data Protection Regulation and Civil Liability

Abstract

The General Data Protection Regulation (GDPR) took effect on 25 May 2018, on which date Directive 95/46/EC was repealed. The new GDPR has in some ways enhanced the protection of personal data: data subjects have expanded rights and plaintiffs suffering harm for a data breach may file for restitution for their damage on the basis of the more comprehensive and coherent liability provision of Article 82. Many of the amendments and clarifications of this new provision are intended to (a) address the significant divergence in the liability rules transposing Article 23 of the repealed Data Protection Directive into national legislation and (b) complement such rules. These amendments are, mostly, very welcome, including: an explicit provision for compensation of moral damage, liability under certain conditions of the processor and joint liability of persons who have jointly caused the damage, and a right of representation of the data subject by a competent association.