Enforcement: Complaints and Liability
A complaint can be initiated by a data subject or a DPA; where multiple DPAs are involved a lead DPA is determined. Both controllers and processors can be liable to data subjects, and for the same processing each can be liable for the entire damage before seeking contribution.
EU data protection law shifted from aspirational (under the 1995 Directive) to a compliance regime under the GDPR, largely because of fines. An administrative complaint can be initiated by a data subject or a DPA. A data subject can file with a DPA, or with courts where the issue occurred, where they reside, or where they work. When multiple DPAs have similar complaints, a Lead DPA must be determined.
If a data subject is dissatisfied with the DPA's decision, or the DPA fails to inform them of the outcome or progress within three months, they may bring the complaint to a national court. They may also seek a judicial remedy against the controller or processor where it is established or where the subject has habitual residence.
Both controllers and processors can be liable to data subjects. Where a controller and processor are in the same processing, each is liable for the entire damage; joint controllers are likewise each liable for the entire damage. After the subject is fully compensated, parties can seek contribution from each other by their share. Either is exempt if not in any way responsible for the event.