(1)This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.
(2)A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—
(a)to take steps specified in the order, or
(b)to refrain from taking steps specified in the order.
(3)The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.
(4)In subsection (1)—
(a)the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the GDPR (right to an effective remedy against a controller or processor);
(b)the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.
(5)In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(1)In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress.
(2)Subsection (3) applies where—
(a)in accordance with rules of court, proceedings under Article 82 of the GDPR are brought by a representative body on behalf of a person, and
(b)a court orders the payment of compensation.
(3)The court may make an order providing for the compensation to be paid on behalf of the person to—
(a)the representative body, or
(b)such other person as the court thinks fit.
(1)A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2)Under subsection (1)—
(a)a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b)a processor involved in processing of personal data is liable for damage caused by the processing only if the processor—
(i)has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii)has acted outside, or contrary to, the controller’s lawful instructions.
(3)A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4)A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5)In this section, “damage” includes financial loss and damage not involving financial loss, such as distress.