Remedies for individuals
Individuals have several remedies against controllers or processors if they consider that their rights have been breached or there is non-compliance with the requirements of the law. These remedies can be sought without prejudicing any other action or remedy.
The remedies include the rights to:
- make a complaint to the Commissioner
- an effective judicial remedy against a controller or processor
- receive compensation for material or non-material damage
- an effective judicial remedy against a supervisory authority
Where there is non-compliance with the requirements of the law (other than non-compliance with rights) these remedies can be exercised against processors as well as controllers.
Taking action on behalf of a data subject
Article 80 of the Applied GDPR permits individuals to give authority to a third party to act on their behalf to seek a remedy against a controller or processor. Such a third party must be properly constituted not-for-profit body, organisation or association, with objectives in the public interest, and active in the field of the data protection (a "representative body").
Regulation 139(1)(b) of the Implementing Regulations permits an individual to authorise a representative body to make a claim for compensation on their behalf under Article 82 of the Applied GDPR. The ability to appoint a representative body under Article 80 does not stop an individual from engaging a lawyer or advocate to act on their behalf when exercising either their rights or seeking remedies.