A processor may be contractually liable to the controller for any failure to meet the terms of their agreed contract. This will of course depend on the exact terms of that contract.
It will also be subject to the relevant investigative and corrective powers of a supervisory authority (such as the ICO) and may be subject to administrative fines or other penalties.
An individual can also bring a claim directly against a processor in court. A processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress. A processor will only be liable for the damage if:
- it has failed to comply with GDPR provisions specifically relating to processors; or
- it has acted without the controller’s lawful instructions, or against those instructions.
It will not be liable if it can prove it is not responsible for the event giving rise to the damage.
If a processor is required to pay compensation, but is not wholly responsible for the damage, it may be able to claim back from the controller, the share of the compensation for which they are responsible. Both parties should seek professional legal advice on this.