Extreme remedies are very appropriate for extreme diseases.

— Hippocrates

In Chapter 7 we discussed the enforcement mechanisms open to data subjects under GDPR; now let us examine the remedies available in those actions. This chapter will discuss the “teeth” of the regulation, focusing on how noncompliance is punished. Throughout this book, we discussed how GDPR creates a market of stern compliance by incorporating Controller/Processor accountability at all stages of processing. Remedies are how the law penalizes those who break it.

GDPR has two species of remedies available to carry out enforcement, compensation, and administrative fines. Criminal penalties such as imprisonment or deprivation of profits¹ are left to the Member States to legislate on further, subject to the rules of double jeopardy.² Compensation is a civil remedy for damages by the user, while administrative fines are handed down by the SA in exercise of their corrective authority.

8.1 Allocating Liability

The Controller and Processor are the two players under GDPR who will be held responsible in the event of a contravention. Despite sharing this liability, the burden can be shifted between the two based on the following rules.³

8.1.1 Controller Alone Liable

The Controller bears liability for any damage caused in processing that infringes GDPR.⁴ The entity bears this burden as a default unless it can prove that it (the Controller) is in no way liable for the event that caused the damage.⁵ This ...