Liability of controllers

Controllers are ultimately accountable for their own compliance and the compliance of their processors.

The Information Commissioner can regulate and enforce compliance with the Applied GDPR and has powers to investigate, order compliance, and to impose significant fines. Find out more about about our powers.

An individual can also bring claims directly against a controller if the processing breaches the Applied GDPR, in particular if the processing causes the individual damage. The controller will be liable for any damage (and any associated claim for compensation payable to an individual) if the processing activities infringe the Applied GDPR.

However, you are not liable for damage resulting from a breach of the Applied GDPR if you can prove you were not in any way responsible for the event giving rise to the damage.

If you are not the only party involved in the processing (for example, a joint controller or processor is also involved), the individual making the claim for compensation can claim against any of you. If you have to pay full compensation for damage suffered by individuals, you may be able to claim back all or part of the amount of compensation from other controllers or processors involved in the processing, to the extent that they are at fault. Find our more about the remedies available to individuals.