What is a controller’s liability when it uses a processor?

A controller is primarily responsible for its own compliance and ensuring the compliance of its processors. This means that, regardless of the terms of the contract with a processor, the controller may be subject to any of the corrective measures and sanctions set out in the GDPR. These include orders to bring processing into compliance, claims for compensation from a data subject and administrative fines.

An individual can bring claims directly against a controller if the processing breaches the GDPR, in particular where the processing causes the individual damage.

A controller will be liable for any damage (and any associated claim for compensation payable to an individual) if its processing activities infringe the GDPR.

However, a controller will not be liable for damage resulting from a breach of the GDPR if it can prove it was not in any way responsible for the event giving rise to the damage.

If a processor is involved in the processing, the individual making the claim for compensation can claim against either party. If a controller has to pay full compensation for damage suffered by individuals, it may be able to claim back all or part of the amount of compensation from a processor involved in the processing, to the extent that the processor is at fault.