The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Liability in the GDPR

With today’s episode on liability, we complete our legal analysis on the triad of adequacy, accountability and liability with regard to data protection law.

Adequacy

Adequacy – as stated in the January 25, 2024 Bulletin – is the element on which the level of compliance required by law relates for those requirements that assume a risk-based approach. The Regulation, in fact, require fulfillment that cangenerally be divided into two distinct types: 

  • Those that require a preliminary assessment of the underlying risk, as compliance is parameterized to the risk so determined (e.g., protection by design and by default, Art. 25, adoption of security measures, Art. 32, impact assessment, Art. 35)
  • Those that are accomplished in a documentary representation (e.g., the privacy notice, Art. 13 and 14, contractual obligations between co-controllers, Art. 26, and between controllers and processors, Art. 28, the record of processing, Art. 30, and others).

Regarding the first type of compliance, adequacy is both a substantive element of compliance and a determinative criterion of the owner’s liability: “inadequate” behavior is a harbinger of responsibility for noncompliance with the legal requirement.

Accountability

The principle of accountability the subject of the April 4, 2024 Bulletin – is general and applies with respect to any requirement of the Regulation. It indicates that the content of compliance is not limited to compliance with the GDPR requirement but also includes the ability to demonstrate it. Accordingly, accountability emphasizes the traceability of compliance for the benefit of subsequent findings. 

For example, an orally issued privacy notice that one is unable to prove is equivalent to a failure to inform, incurring liability for the relevant infringement.

Liability for data processing

“Liability” – that is, the third profile covered in this episode – indicates two distinct legal aspects:

  • The imputation, i.e., the chargeability of a given violation to a specific party held legally “responsible”
  • The effects, that is, the legal consequences caused by the infringement.

Infringement of the requirements of the GDPR results in a twofold form of liability for the data controller-and in certain circumstances also for the processor:

  • Liability for violation of the law
  • Liability for damages possibly caused with its own processing.

The data controller is the main addressee of the requirements of the General Regulation and, as a result and in the ordinary way, is the one who is liable:

  • both for the consequences of infringing the requirements
  • as well as for damages possibly caused by one’s own processing.