The General Data Protection Regulation provides companies with an explanation of how personal data should be processed, setting out principles and obligations to be respected. To ensure compliance with these provisions, the GDPR provides for penalties. And, it also provides for the right of the data subject to compensation for damages, in case of violation of data protection rules.

Anyone who suffers from an unlawful processing of their personal data may, in fact, claim damages.            
Specifically, the GDPR states that the data controller or processor should compensate for any damage which a person may suffer as a result of processing that infringes the provisions. Nevertheless, the controller or processor should be exempt from liability if he proves that he is in no way responsible for the infringement.

In addition, the GDPR also provides for a sort of shared responsibility between the data controller and the data processor. In fact, where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. Therefore, the data subject may request payment of the entire damage to only one of the parties, either the controller or the processor.

The data subject can claim material or non-material damages only when certain conditions are met:

1. The conduct (active or omissive) constitutes an infringement of the GDPR;
2. The conduct caused damage to the person concerned;
3. There is a causal link between the conduct and the damage.

Proof of these conditions should be provided by the data subject. On the other side, however, the data controller should prove that the infringement event is not caused by him and that he did not actually cause any damage. 

VGS Lawyers can assist you in rendering your company compliant with GDPR provisions, in order to avoid to be subject into such kind of claims.