We declare that DPD Hungary Korlátolt Felelősségű Társaság (registered address: 1134 Budapest, Váci út 33. 2. emelet, hereinafter DPD) has in preparation for applying Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the GDPR or Regulation) has reviewed the personal data processing operations subject to the Regulation. Records have been made of the data identified in these operations, which operate lawfully in observance of the required principles.
The objectives and legal basis of the data processed, the categories of personal data involved in data processing (according to categories of those affected) and the criteria for retaining data have been formulated.
The technical and organisational measures for data security have been implemented. We have drawn up the technical organisational measures for data stored on paper and in IT devices, networks and servers, such as rights processing, servers, server security requirements and the possibility of pseudonymisation.
A Data Protection Officer has been appointed in the company. Our Data Protection and Data Security Regulations state the rules for detecting and handling data protection incidents and performing data protection impact studies and interests assessments.
We have a Data Protection and Data Security Regulations and we accurately maintain our Data Forwarding Records and Data Protection Incident Records.
Our data processing is registered with the system of records kept by the National Data Protection and Freedom of Information Authority, and the registration number is given in the relevant regulations.
In respect of further tasks, we are aware of the objectives which must be attained to ensure that the rights of data subjects are fully honoured. Besides We endeavour to provide maximum protection of personal data and we respect the right of information self-determination. We inform the data subjects of the legal redress open to them. Anyone may track and verify the course of data processing in DPD .
We declare that we carry out our activities in accordance with - in addition to the GDPR Regulation - the provisions of Act CLIX of 2012 on Postal Services, which applies to DPD's activity, and Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
We require all of our partners to comply with the law, and all of the partners and subcontractors we use in the course of our activities meet the requirements of the data protection laws.
Szabolcs Czifrik
CEO, DPD Hungary Kft.
Name of data controller: DPD Hungary Kft.
Company registration number of data controller: Cg.01-09-888141
VAT number of data controller: 13034283-2-41
Registered office of data controller: 1134 Budapest, Váci út 33. 2. emelet
Electronic address of data controller: [email protected]
Representative of data controller: Szabolcs Czifrik (CEO)
Data protection officer: Dr. Gergő Soltész
Contact details of data protection officer: [email protected]
Dear Customers,
DPD Hungary Kft. (company registration number: Cg.01-09-888141, VAT number: 13034283-2-44, registered office: 1134 Budapest, Váci út 33. 2. emelet, hereinafter DPD HU), with due heed to the Regulation of the European Parliament and Council 2016/679 (hereinafter GDPR), makes the following declaration concerning requests from its customers to make data processing contracts.
Under Article 28 of the GDPR, a contract must be made between the controller and the processor obliging the processor to comply with the rules for processing personal data, to provide appropriate guarantees, and to implement appropriate technical and organisational measures to meet the requirements of the GDPR.
DPD HU proceeds as controller and not as processor in performing its courier services. The legal basis of data processing is “processing necessary for the performance of a contract” pursuant to Article 6(1)b) of the GDPR.
In providing the service, DPD HU alone determines the purposes and means of processing personal data. DPD HU undertakes responsibility for the collection, systemisation, processing and storage of personal data.
DPD HU has the right to preserve the collected data after the extinction of the contract (is not obliged to erase the data at the customer’s instruction) within the period required for pursuit and assessment of any legal claims (e.g. assessment of a claim for compensation concerning lost or damaged parcels).
In the above case, therefore, where DPD HU provides exclusively courier services, it processes customer-related personal data as controller and not as processor. The GDPR does not specify the obligation to make a processor contract in such a case.
For further information concerning the processing of personal data, please read the data protection information on our website.
Szabolcs Czifrik
CEO, DPD Hungary Kft.
Name of data controller: DPD Hungary Kft.
Company registration number of data controller: Cg.01-09-888141
VAT number of data controller: 13034283-2-41
Registered office of data controller: 1134 Budapest, Váci út 33. 2. emelet
Electronic address of data controller: [email protected]
Representative of data controller: Szabolcs Czifrik (CEO)
Data protection officer: Dr. Gergő Soltész
Contact details of data protection officer: [email protected]
Core activities of the Company: other postal and courier activity.
The Company collects consignments, transports, sorts and delivers consignments to destinations within Hungary and abroad specified by the sender of the consignments, and provides internet tracking of consignments for the sender. The Company receives personal data in the course of providing its services. This data comprises names, addresses, phone numbers and e-mail addresses. The data is required to fulfil courier activities.
Purpose of data processing: to provide courier services
Categories of data processed:
for senders of consignments: partner ID, partner name, VAT number, registered office or residential address, e-mail address, phone number, billing data, date of conclusion of contract
Legal basis for data processing: “processing necessary for the performance of a contract” pursuant to Article 6(1)b) of the GDPR and performance of legal obligations pursuant to GDPR Article 6 (1) c).
Time limit for storage of data:
means of data storage: paper and electronic
Debt management
The Company’s customers may accumulate debts to the Company. In such cases, the Company’s debt management department initiates a debt management procedure. If the procedure is without result, we forward the customer’s data for debt management purposes to a solicitor or debt management company.
Purpose of data processing: debt recovery
Categories of data processed:
partner ID
partner name
VAT number
registered office or residential address
e-mail address
phone number
date of first and second warning
billing data
contract date
Legal basis of data processing: processing necessary for the purposes of the legitimate interests pursued by the Company, in accordance with Article 6(1)f) of the GDPR
Time limit for data storage: settlement of the debt, or expiry under civil law of the time limit for management of debts (5 years)
Complaints management
The Company investigates complaints without charge in a simple, transparent and non-discriminative procedure and keeps records of the complaints and how they are managed. The rules of complaints management as it affects customers are given in the GTC.
Purpose of data processing: recording, investigation and appraisal of complaints
Categories of data processed:
date of collection of consignment
parcel number printed on the parcel label of the consignment
data of the complainant (customer/recipient) comprising name, address/registered office, identification numbers (parcel number, reference number), VAT number and posibly bank account number, signature, and the fax number or e-mail address or correspondence address to which the Company may send a written reply
description of complaint, covering the faults in the consignment or the service and the presumed cause of the fault
description of the damage and determination of the amount of compensation claimed
voice of the data subject (the phone conversation is recorded)
documents certifying grounds for complaint and enabling the claim to be verified, such as a document concerning the content of the consignment (delivery note, purchase invoice, photographs, etc.)
documents certifying the purchase price of the consignment and possibly its costs of production
a record taken jointly with the courier
where there is good reason, an expert statement required to establish the damage
Legal basis of data processing: processing necessary for compliance with a legal obligation, pursuant to Article 6(1)c) of the GDPR and to Section 17/A(6)–(7) of Act CLV of 1997.
Time limit of data storage: the Company is obliged to keep the complaint record and a copy of the reply for five years and to present these to the supervising authorities on request (Section 17/A(7) of the Consumer Protection Act).
Means of data storage: paper and electronic
Data processing related to recording of telephone conversations
Under section 17/B (3) of Act CLV of 1997 on Consumer Protection, conversations with DPD are recorded, an individual identifier is attached to the conversation, and the related personal data are processed as follows:
Purpose of data processing: recording of complaints and evidence for resolution of customer claims and legal disputes, recording and assessment of fault reports, proof of agreement, certification of non-recoverability, and quality assurance
Categories of data processed:
consignment collection date
parcel number on consignment label
data of the complainant (customer/recipient), comprising name, address/registered office, identification numbers (parcel number, reference number), VAT number and possibly bank account number, signature, and the fax number or e-mail address or correspondence address to which the Company may send a written reply
description of complaint, covering the faults in the consignment or the service and the presumed cause of the fault
description of the damage and determination of the amount of compensation claimed
voice of data subject
documents certifying grounds for complaint and enabling the claim to be verified, such as a document concerning the content of the consignment (delivery note, purchase invoice, photographs, etc.)
documents certifying the purchase price of the consignment and possibly its costs of production
a record taken jointly with the courier
where there is good reason, an expert statement required to establish the damage
legal basis of processing: Section 17/A-C of Act CLV of 1997 on Consumer Protection, GDPR Article 6(1)c) (performance of a legal obligation, with due regard to Section 57(1) of the Post Act and Section 17/B(3) of the Consumer Protection Act).
Time limit of data storage: the Company is obliged to keep the complaint record and a copy of the reply for five years and to present these to the supervising authorities on request (Section 17/A(7) of the Consumer Protection Act).
Means of data storage: paper and electronic
Request for quotation
A quotation may be requested via a link on the website in Contact menu and in Sending parcels menu.
Purpose of data processing: identification of website visitors who initiate contact and making electronic services accessible to these visitors
Categories of data processed:
Legal basis of data processing: consent by data subject, pursuant to Article 6(1)a) of the GDPR.
Time limit of data storage: 2 years from receipt of data
Means of data storage: electronic
Honlapüzemeltetés
A Társaság saját honlapot üzemeltet, amely a https://www.dpd.com/hu címen érhető el. A honlapon automatikus adatgyűjtés (cookie/sütik, Google Analytics stb.) valósul meg. A honlapra való be- és kilépést a látogatók számára kis adatcsomagok, ún. sütik (angol nevükön, illetve a továbbiakban: „cookie”-k) segítik elő, amelyeket a látogatók informatikai eszközén a honlap helyez el, illetve olvas arról vissza. A cookie-k a honlap megfelelő működését, a hatékonyabb kiszolgálást, valamint statisztikai jellegű, anonimizált adatgyűjtés célját szolgálják. A cookie-kat a látogató törölni tudja az informatikai eszközéről, illetve azok a böngésző bezárásával automatikusan törlődnek, valamint a látogató manuálisan beállíthatja böngészőjét úgy is, hogy az a cookie-k alkalmazását tiltsa. A honlapot a látogató abban az esetben is használni tudja, ha egyébként a cookie-k alkalmazását a böngészője beállításai között manuálisan letiltja.
A honlap egyrészt az egyedi, ideiglenes jelleggel elhelyezett „spublic” cookie-t alkalmazza a munkafolyamatok azonosítására, azaz annak megállapítására, hogy a látogató be van-e jelentkezve a honlapon vagy sem. A „spublic” cookie tehát a látogatók számára a honlapra való belépést, illetve az onnan történő kilépés segíti elő. A „spublic” cookie egy ideiglenes cookie, amely a böngésző bezárásával automatikusan törlődik a látogató informatikai eszközéről, illetve azt a látogató a böngészője beállításai között manuálisan maga is törölni tudja. Az alábbi cookie-k abból a célból kerülnek alkalmazásra, hogy segítségükkel megállapíthatóak legyenek a honlap látogatására és látogatottságára vonatkozó alábbi statisztikai jellegű, és ilyen célra gyűjtött adatok: - a látogató keresőmotor, kulcsszó vagy link révén jutott a honlapra („utmz”cookie), - a látogató hányszor látogatta meg a honlapot („utmb” cookie), - a látogató mennyi ideig tartózkodott a honlapon („utma” és az „utmv” cookie), - a látogató mikor látogatta meg először a honlapot („utma” és „utmv” cookie), illetve - a látogató mikor látogatta meg utoljára a honlapot („utmc” és „utmv” cookie). A fentiek mellett egyes cookie-k óvják a honlapot a túlterheléstől („utmt” cookie), továbbá egyes, a Google Analytics által alkalmazott cookie-k analitikai, statisztikai, illetve biztonsági célból rögzítik a látogató által használt informatikai eszköz IP-címét is. Az adattárolás a látogató informatikai eszközén valósul meg. A honlap látogatottsági és egyéb webanalitikai adatainak független mérését és auditálását tehát külső szolgáltatóként a Google Analytics szerverei segítik a fent felsorolt cookie-k segítségével. A mérési adatok kezeléséről ezen adatok adatkezelője a https://www.google.com/analytics/ weboldalon nyújt részletes felvilágosítást, a Google adatvédelmi elveiről pedig itt érhető el bővebb információ: http://www.google.hu/intl/hu/policies/privacy/. A honlapról a Google Analytics szerverei felé továbbításra kerülő adatok az érintett látogató személyazonosságának kizárólagos azonosítására közvetlenül nem alkalmasak, azok alapján kizárólag az informatikai eszköz IP címe azonosítható.
adatkezelés célja: a honlap látogatása során a szolgáltató a szolgáltatás működésének ellenőrzése és a visszaélések megakadályozása érdekében rögzíti a látogatói adatokat
kezelt adatok köre: dátum, időpont, a felhasználó számítógépének IP címe, a meglátogatott oldal címe, az előzőleg meglátogatott oldal címe, a felhasználó operációs rendszerével és böngészőjével kapcsolatos adatok
adatkezelés jogalapja: a GDPR 6. cikk (1) a) szerinti érintetti hozzájárulás és az információs társadalommal összefüggő szolgáltatások egyes kérdéseiről szóló 2001. évi CVIII. törvény 13/A. § (3) bekezdése
adattárolás határideje: a honlap megtekintésétől számított 30 nap
adattárolás módja: elektronikus
Data recorded by video surveillance system
In places where cameras record still and video images for an electronic surveillance system, there are signs displaying the exact locations of the cameras and the fact of recording.
Personal data relating to the video surveillance system are processed as follows:
Purpose of data processing: to document the secure storage, handling and transportation of high-value warehouse stocks, and their despatch from the warehouse intact and without omissions.
Categories of data processed:Images of data subjects and data obtainable from camera images (location and duration of stay)
Legal basis of data processing: GDPR Article 6 (1) f), the legitimate interests of the Company.
Time limit of data storage: until the purpose has been served, maximum 30 days
Means of data storage: electronic
DPD career portal
DPD operates a career portal to advertise vacancies at https://dpd.karrierportal.hu/allasok. This provides facilities to apply for advertised jobs and to upload CVs in the hope of future cooperation.
Information essential for selection are stored on this portal.
Purpose of data processing: filling of vacancies, recruitment
Categories of data processed: mandatory details: surname, forename, e-mail address, postal code of permanent and temporary address, e-mail address, highest educational qualification, language proficiency, relevant employment experience, preferred area of work, place of work, working hours, anticipated minimum net monthly earnings, date available for employment, working hours, driving licence, forklift driving licence
Optional data: gender, alternative e-mail address, phone number, photograph, preferred level of activity, other data given by data subject
Legal basis of data processing: consent given by the data subject, in accordance with article 6(1) of the GDPR
Time limit of data storage: two years after the data is given
Means of data storage: electronic
Data processing not mentioned above is explained at the time of recording the data.
DPD takes the following measures to ensure the security of personal data processed on paper:
only authorised persons may have knowledge of the data, and no others may access it
documents are placed in a locked, dry room protected with fire and security equipment
only relevant persons have access to documents in constant active use
during the day, the DPD employee performing data processing must lock the relevant data medium or lock the office before leaving the room where data processing is in progress
when the DPD employee performing data processing finishes work, he or she closes the paper-based data medium
if personal data held on paper media are digitised, the Company handles the data in accordance with the security rules applying to digitally stored documents
When the purpose of processing the personal data stored on paper has been fulfilled, the Company arranges for the paper to be destroyed. Where the medium carrying the personal data is a physical medium other than paper, the destruction of that medium is subject to the rules for destroying paper-based documents.
The measures taken and the guarantees offered by the Company to ensure the security of personal data stored on a computer or on the computer network are as follows:
the Company is the owner, or has rights equivalent to ownership, of the computers used for data processing
data stored on the computer can only be accessed with valid personal ID rights (at least username and password), and the Company ensures that passwords are changed regularly or whenever there is good reason to do so
all computer records involving the data are logged
data stored on a network server can be accessed only with appropriate rights and by designated persons
when the purpose of data processing has been fulfilled or the data processing time limit has expired, the file containing the data is irreversibly erased and thereafter the data cannot be retrieved
to ensure the security of data stored on the network, the Company protects the servers with high availability infrastructure and prevents data loss with backups and archiving.
the data medium on which backed-up data is stored is held in an appropriate safe in a firesafe place
virus protection is continuously provided for the network on which personal data is processed
appropriate IT devices are available and applied to prevent network access by unauthorised persons
The measures taken and guarantees offered by the Company for the physical protection of the servers in the server room where personal data is stored are as follows:
firewalls are provided for the physical protection of the server room
the server room is air-conditioned and is protected by a fire alarm
only a person with permission to take out the key to the server room may enter the server room
the controller keeps records of persons having permission to take out the key
Rights management is designed to provide documentation and trackability of allocated rights and to ensure that the activity of persons holding the rights and the categories of data they use can be verified. By ensuring that this data is up-to-date, the Company is better able to attain the level of security that is reasonably expected and within its capabilities, and to operate the IT network in accordance with the law and industry norms.
The Company applies the following rights management specifications to ensure the security of personal data:
the IT officer sets new rights and changes existing rights under authorisation of the possessor of the rights
only the rights necessary and sufficient for performing work are allocated
persons carrying out other work or not requesting rights are prevented from receiving full access or administrator rights
a named user with administrator rights must be employed to provide system administration wherever possible. Anonymous system administrator passwords must be stored in a signed and sealed envelope that cannot be easily opened. Their use may be permitted by a senior official of the controller or by the deputy designated in the order of deputisation in case the official is unavailable. The use of anonymous user rights must be documented and the grounds for their use stated
employees of external – maintenance or developer – companies do not have continuously-operating, indefinite-period access rights
To comply with the GDPR, DPD endeavours to minimise the personal data that is processed, to pseudonymise personal data, to ensure transparency of the function and processing of personal data, to enable the data subject to trace the data processing and to create and improve security elements. By introducing “privacy by design”, the Company takes heed of the GDPR rules before the commencement of data processing – for example, during the period of project preparation. Privacy by design is the sum of internal Company procedures by which it endeavours – independently of external regulations – to give maximum protection to the privacy of data subjects.
We use your data only for declared purposes related to our business activities. We do not disclose the data we process to anyone or for purposes not directly connected with our services, except for the following cases:
Fulfilment of legal obligations
There are cases when the Company is legally obliged, when requested by relevant bodies, to disclose data it processes. Such bodies are, for example, state administration bodies and authorities, health and social insurance bodies and auditors.
Processors are natural or legal persons, public authorities, agencies or other bodies which process personal data on behalf of the controller.
The processors are (not a complete list):
1. Subcontractor couriers
Businesses that collect and deliver parcels on behalf of DPD under contract.
Categories of data processed: identifiers and contact details of the senders and recipients of parcels.
2. Organisations cooperating with DPDgroup and partners involved in carriage
For international services, carriage/forwarding of parcels abroad is carried out by organizational units or partners of DPDgroup that are responsible for such services provided in the relevant country.
Categories of data processed: identifiers of the senders and recipients of parcels and data required for contact.
3. Infocommunication service providers
Where necessary, DPD discloses data to infocommunication service providers under controlled conditions. Such cases are:
to make services more efficient (particularly to optimise shipping processes)
where notification services are used (provision of parcel data)
in connection with the service charge for COD services, etc.
Categories of data processed: identifiers and contact details of the senders and recipients of parcels, data identifying users of online applications.
4. Service providers
Some companies that take a limited part in DPD activities come into contact with data. These are usually subcontractors whose employees are responsible for loading and sorting parcels.
Categories of data processed: delivery data on the parcel labels.
Also coming under this heading is the company that operates the career portal for DPD. The data and CVs of persons who apply for positions with DPD or register on its database are uploaded to the web interface provided by that company.
Categories of data processed:
mandatory data: surname, forename, e-mail address, postal code of permanent and temporary address, e-mail address, highest educational qualification, language proficiency, relevant employment experience, preferred area of work, place of work, working hours, anticipated minimum net monthly earnings, date available for employment, working hours, driving licence, forklift driving licence
optional data: place of birth, year of birth, gender, alternative e-mail address, phone number, photograph, preferred level of activity, other data given by the data subject.
5. Debt management
If DPD’s debt management procedure is without result, we disclose the customer’s data to a solicitor or debt management company for the purpose of debt management.
Categories of data processed: data required for recovery of debts
DPD makes data processing contracts with every processor. In these, both parties undertake to comply with the data protection laws and the data security requirements specified by DPD.
In the course of its activities, DPD performs data processing exclusively in accordance with the law.
Personal data processed by DPD may not be used for private purposes and our data processing at all times complies with the principle of appropriate use: we process personal data only for a specific purpose, to exercise a right or perform an obligation, to the minimum extent and for the minimum period necessary to fulfil the purpose.
When the purpose of data processing has ceased or if the processing of the data is otherwise unlawful, the data are erased.
DPD processes data only with the prior and (in the case of special personal data) written consent of the data subject or pursuant to law or statutory authorisation, and in every case we inform the data subject of the purpose of processing the data and the legal basis of data processing before recording the data.
The employees who perform the data processing in the Company’s organisational units and employees of organisations involved in data processing or performing any data processing operation on behalf of the Company regard the personal data known to them as confidential business information.
If personal data processed by the Company is defective, deficient or out of date, the Company is obliged to rectify it or instruct the employee responsible for recording data to rectify it.
We make processor contracts with natural or legal persons or organisations without legal personality which the Company engages as processors.
Data subjects may by law exercise many rights concerning their personal data. If you wish to exercise these rights please make a request by sending an e-mail message to the address [email protected].
Right of access
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in the GDPR.
Right to rectification
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay where specific grounds apply.
Right to be forgotten
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, takes reasonable steps, including technical measures, to erase any links to, or copy or replication of, these personal data.
Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, in which case the restriction persists for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to processing, in which case the restriction applies pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which has been processed in pursuance of the rightful interests of the controller.
Right concerning automated decision-making
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. A subject who has nonetheless been the subject of automated decision-making and does not agree with the outcome may request a review of the decision.
Verification prior to the exercise of data subjects’ rights
We place great emphasis on the protection of data subjects’ rights, and so we take great care to verify that requests involving data processing and other requests defined in the GDPR originate from the holder of the rights. Checking the identity of data subjects does not affect general enquiries.
We reserve the right to check your identity to establish entitlement to make the request.
If we are unable to establish your identity beyond reasonable doubt, we are unable to disclose the data requested or carry out the operation you requested.
When providing its services, DPD alone determines the purposes and means of processing personal data. DPD undertakes responsibility for the collection, systemisation, processing and storage of personal data.
In some cases, however, DPD’s liability is excluded, for example:
if the damage occurred because of your own data processing which infringes the GDPR
through the fault of a controller, we acquired certain items of data which we did not request or which we did not consent to being given by the data provider
if our customer obtained the data subject’s data without consent and forwarded the data to us
if a customer of ours which provides services to children forwarded children’s personal data to DPD without obtaining the permission of the person exercising the right of parental supervision
The controller must inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. (GPDR Article 12(4))
Supervisory authority:
Name: National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa u. 9-11.
Postal address: 1363 Budapest, Pf.: 9.
Phone: (06 1) 391 1400
Fax: (06 1) 391 1410
E-mail: [email protected]
Website: www.naih.hu
Compensation
Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. (GDPR Article 82(1)). Any controller involved in processing is liable for the damage caused by processing which infringes the GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. (GDPR Article 82(2)). A controller or processor is exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage. (GDPR Article 82(3)). Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject (GDPR Article 82(4)).
Last updated 18/05/2020
Home / Data protection