Responsibility for the unlawful processing of personal data
Since 2018, the European Regulation 2016/679 (“GDPR“) has come into force in the member countries of the EU, which governs the processing of personal data and the related liability in case of violation of the same.
The aforementioned Regulation, in our legal system, has led to the modification of an italian source of law (Legislative Decree no. 196/2003) which already regulated the processing of personal data and the related responsibility profiles.
However, the GDPR, on the one hand, has introduced rules aimed at making the Data Controller (the “natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data”: art. 4, n ° 7 of the GDPR), more “responsible”, prescribing certain obligations to which he is subject, under penalty of compensation for damage caused by his conduct (art. 5).
On the other hand, the aforementioned Regulation has assigned a leading role to the person in charge of the processing (i.e. the natural / legal person, or the public / private body, appointed by the Data Controller to manage the personal data of the data subject: art. 4, n. 8 of the GDPR), attributing various charges and consequent legal responsibilities to it.
According to art. 82 of the GDPR, in fact, the Data Controller is liable for the damage caused by his conduct, if placed in violation of the provisions of the GDPR, unless it is demonstrated that the harmful event is not attributable to him. Instead, the Manager is liable for the damage caused to the interested party (or to third parties), if he has acted in a different way or contrary to the instructions provided by the Data Controller, or if he has not fulfilled the obligations provided for by the Regulations.
The concept of damage and legal actions
However, to establish the culpability profiles of both the Data Controller and the Data Processing Manager, it is advisable to first define the concept of “damage“.
According to the rulings of the Court of Justice of the EU, the categories of damage that can be caused by the unlawful processing of personal data include the physical, material (economic-financial losses) and immaterial (eg: discrimination, theft or usurpation identity, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, etc.).
Therefore, anyone who believes that their right to privacy has been violated and has suffered damage deriving from unlawful processing of personal data, may take legal action before the competent judicial authorities, initiating a procedure aimed at assessing the conduct of the person in charge of the processing (at the National Privacy Guarantor Authority) and / or a judgment (at the territorially competent Court) aimed at obtaining any compensation for damages suffered.
The Privacy Authority has the power to impose the sanctions provided for by the GDPR on the person responsible for the unlawful conduct. These sanctions are adopted taking into account: the nature, gravity and duration of the violation; the degree of responsibility or any previous relevant breaches; as well as the possible presence of willful misconduct.
Furthermore, for the purposes of the severity/quantification of the sanction, the Privacy Authority also takes into consideration the following criteria – which constitute aggravating or mitigating factors of the conduct implemented: the way in which it became aware of the violation, the recidivism of the the Data Controller (s) and / or the Data Processor (s) regarding the failure to comply with the provisions set forth against him / her, etc.
Case law
In the next articles we will deepen the issue of liability deriving from the unlawful processing of personal data, analyzing the case law relating to the sectors in which the violation of the provisions of the GDPR is most recognized: editorial / journalistic activity; advertising / promotion; health and the telecommunications sector.