169Compensation for contravention of other data protection legislationU.K.
(1)A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the [F1UK GDPR], is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2)Under subsection (1)—
(a)a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b)a processor involved in processing of personal data is liable for damage caused by the processing only if the processor—
(i)has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii)has acted outside, or contrary to, the controller's lawful instructions.
(3)A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4)A joint controller in respect of the processing of personal data to which Part 3 or 4 applies whose responsibilities are determined in an arrangement under section 58 or 104 is only liable as described in subsection (2) if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.
(5)In this section, “damage” includes financial loss and damage not involving financial loss, such as distress.
Textual Amendments
F1Words in s. 169(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 70 (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)