Liability of processors
Processors can be subject to the relevant investigative and corrective powers of the Information Commissioner and may be subject to administrative fines or other penalties.
They may also be contractually liable to the controller for any failure to meet the terms of the agreed contract. This will of course depend on the exact terms of that contract.
An individual can also bring a claim directly against the processor in court and the processor may be held liable under Article 82 of the Applied GDPR to pay compensation for any damage caused by processing (including non-material damage such as distress). You will only be liable for the damage if:
- you have failed to comply with provisions of the Applied GDPR specifically relating to processors; or
- you have acted without the controller’s lawful instructions or against those instructions.
The processor will not be liable if it can prove that it is not in any way responsible for the event giving rise to the damage.
If a processor is required to pay compensation but is not wholly responsible for the damage, it may be able to claim back from the controller, the share of the compensation for which they were liable. Both parties should seek professional legal advice on this.