Skip to main content
SpringerLink
Log in

The General Data Protection Regulation and Civil Liability

  • Chapter
  • First Online:
Personal Data in Competition, Consumer Protection and Intellectual Property Law

Part of the book series: MPI Studies on Intellectual Property and Competition Law ((MSIP,volume 28))

  • 2491 Accesses

Abstract

The General Data Protection Regulation (GDPR) took effect on 25 May 2018, on which date Directive 95/46/EC was repealed. The new GDPR has in some ways enhanced the protection of personal data: data subjects have expanded rights and plaintiffs suffering harm for a data breach may file for restitution for their damage on the basis of the more comprehensive and coherent liability provision of Article 82. Many of the amendments and clarifications of this new provision are intended to (a) address the significant divergence in the liability rules transposing Article 23 of the repealed Data Protection Directive into national legislation and (b) complement such rules. These amendments are, mostly, very welcome, including: an explicit provision for compensation of moral damage, liability under certain conditions of the processor and joint liability of persons who have jointly caused the damage, and a right of representation of the data subject by a competent association.

Emmanuela Truli, Dr. Juris (LMU, Munich), LL.M. (Columbia, New York), Attorney at Law admitted in the Athens and New York Bar, is Assistant Professor of Civil Law at the Athens University for Economics and Business and a former Commissioner-Rapporteur of the Hellenic Competition Commission.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 249.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    See e.g. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, OJ L 201/37 (Privacy and electronic communications Directive); Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ L 105/54 (Retention of data Directive).

  2. 2.

    It took a few years for the Member States to implement the Directive; see the European Commission’s site on the Status of implementation of Directive 95/46: http://ec.europa.eu/justice/data-protection/law/status-implementation/index_en.htm. On the implementation and success of the Data Protection Directive see also Robinson / Graux / Botterman / Valeri (2009); Korff (2002); European Commission, Case No. COM/2003/0265 – First report on the implementation of the Data Protection Directive, 15 May 2003.

  3. 3.

    European Economic Area: Iceland, Norway and Lichtenstein.

  4. 4.

    For a general assessment of Directive 95/46/EC ten years after its enactment, see Poullet (2006).

  5. 5.

    See European Commission, Proposal for a Regulation COM(2012) 11 final, 25 January 2012, SEC(2012) 72 final, SEC(2012) 73 final, Explanatory Memorandum, 1. See also Recital 6 of Regulation 2016/679/EU. On the new challenges to data protection see also the Comparative Study on different approaches to new privacy challenges in particular in the light of technological development, Final Report (2010) LRDP Kantor Ltd.

  6. 6.

    See information on the webpage of the Council of the EU, available at: http://www.consilium.europa.eu/en/policies/data-protection-reform/.

  7. 7.

    See Article 6(1) of the Treaty of the European Union, recognizing the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union of 7 December 2000 (as adapted in Strasbourg, on 12 December 2007), and Article 8 of the EU Charter of Fundamental Rights. See also Article 16 of the Treaty on the Functioning of the European Union and Article 8 of the European Convention on Human Rights.

  8. 8.

    See European Commission, Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions - A comprehensive approach on personal data protection in the European Union, COM(2010) 609 final, 4 November 2010.

  9. 9.

    See European Council, Council conclusions on the Communication from the Commission to the European Parliament and the Council – A comprehensive approach on personal data protection in the European Union, 3071st Justice and Home Affairs Council meeting Brussels, 24 and 25 February 2011.

  10. 10.

    See European Parliament, Committee on Civil Liberties, Justice and Home Affairs, Working Document (1 and 2) on a comprehensive approach on personal data protection in the European Union, 15 March 2011.

  11. 11.

    See Opinion of 14 January 2011 on the Communication from the Commission on ‘A comprehensive approach on personal data protection in the European Union’.

  12. 12.

    See Letter from the Article 29 Working Party addressed to Vice-President Reding regarding the Article 29 WP’s reaction to the Commission Communication ‘A comprehensive approach to personal data protection in the EU’, 14 January 2011.

  13. 13.

    See De Hert / Papakonstantinou (2012), 130, 131 et seq.

  14. 14.

    Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, OJ L 119/1, 4 May 2016 (GDPR).

  15. 15.

    Directive (EU) 2016/680 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/997/JHA, OJ L 119/89, 4 May 2016 (Police and Criminal Justice Data Protection Directive). The Directive must be transposed by member states by 6 May 2018.

  16. 16.

    See European Commission, Press release (IP 16-1403), Joint Statement on the final adoption of the new EU rules for personal data protection, 14 April 2016. On the then pending data retention reform see also Robinson (2012), 394 et seq.

  17. 17.

    See Art. 99 Regulation 2016/679.

  18. 18.

    See Art. 94 Regulation 2016/679.

  19. 19.

    See De Hert / Papakonstantinou (2012), 132 with further reference to Commission Communication, 2.2.

  20. 20.

    See Recitals no. 10 et seq. and Article 1 of the GDPR.

  21. 21.

    See Recital no. 9 and Article 1 of the GDPR. With regard to the effect of the new Regulation on businesses see e.g. European Commission (2016), Fact Sheet of January 2016, presenting benefits with regard to: facilitation of cross-border expansion, cutting of costs, creation of a level playing field, etc.

  22. 22.

    See Recitals no. 65-66, 156 and Article 17 of the GDPR. See also ECJ, Google Spain and Google Inc. v. Agencia Espaňola et al, C-131/12, ECLI:EU:C:2014:317 and Kranenborg, EDPL 1/2015, 70.

  23. 23.

    See Recital no. 39 and Article 15 of the GDPR.

  24. 24.

    See Recitals no. 85-87 and Articles 30 and 31 of the GDPR. On the frequency of hacking, with numerous actual case from the US, see Foresman (2015), 344 et seq.

  25. 25.

    See Recital no. 78 and Article 25 of the GDPR.

  26. 26.

    See Recital no. 89 of the GDPR.

  27. 27.

    See Article 35 of the GDPR. The currently in force Data Protection Directive contains no provisions on impact assessments. The Directive provides for prior checking, which may be qualified as a forerunner of the data-protection impact-assessment requirement; arguably also Article 17 of the Directive could provide the legal basis for such an impact assessment; see on this subject and more on the data-protection impact-assessment novelty of the GDPR van Dijk / Geller / Rommetveit (2016), 287 et seq. For a possible definition of the term ‘data protection impact assessment’ see Wright / De Hert (2012), 5: ‘a methodology for assessing the impacts on privacy of a project, policy, program, service, product or other initiative which involves the processing of personal information and, in consultation with stakeholders, for taking remedial actions as necessary in order to avoid or minimize negative impacts’.

  28. 28.

    See Recitals 148-152 and Article 82 of the GDPR.

  29. 29.

    See i.e. Van Alsenoy (2012), 25.

  30. 30.

    See Article 2(a) of the Data Protection Directive.

  31. 31.

    See examples from the UK’s data protection authority, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/compensation/.

  32. 32.

    Ibid.

  33. 33.

    Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1). Directive 2000/31/EC introduced special liability protection for hosting providers, namely no liability for services that ‘consist of’ the storage of electronic information, under the condition that the provider has no knowledge or awareness of illegal activity, and removes or blocks illegal data when it does gain knowledge or become aware of illegal activity (‘notice and take down’), see Articles 12 to 15. Notably, the provisions of the GDPR are without prejudice to the application of the abovementioned rules of Directive 2000/31/EC; see Article 2(4) and Recital 21 of the GDPR. On the interaction between e-commerce provisions and data-protection rules see also Sartor (2013), 4 et seq.

  34. 34.

    See Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).

  35. 35.

    See also Recital 55 of Directive 95/46/EC.

  36. 36.

    See also Christodoulou (2013), para. 232 and the decision of the Athens First Instance Court 2516/2004, DiMEE 2006, 74. See, however, Kanellopoulou-Mboti (2016), 416, with references to the two Greek court decisions 1257/2005 Athens Court of Appeals, Nomiko Vima 205, 289 and 1434/2005 Athens First Instance Court, DiMEE 2005, 75.

  37. 37.

    See in this respect the Irish case about Section 7 of the Irish Data Protection Acts 1988 and 2003 (Irish DPA) Collins v. FBD Insurances, where the court confirmed that the transposed provision did not give rise to an automatic right to compensation in the absence of evidence of actual loss or damage.

  38. 38.

    See the text in the original: ‘Fügt eine verantwortliche Stelle dem Betroffenen durch eine nach diesem Gesetz oder nach anderen Vorschriften über den Datenschutz unzulässige oder unrichtige Erhebung, Verarbeitung oder Nutzung seiner personenbezogenen Daten einen Schaden zu, ist sie oder ihr Träger dem Betroffenen zum Schadensersatz verpflichtet. Die Ersatzpflicht entfällt, soweit die verantwortliche Stelle die nach den Umständen des Falles gebotene Sorgfalt beachtet hat.’

  39. 39.

    See BeckOK DatenSR/Quaas (2013), BDSG § 7, para. 7. See also the decision of Bundesarbeitsgericht which stated that the employer does not have a claim against the union of workers for the sending of advertisement e-mails sent to the business addresses of his employees, because these are considered personal data of the latter, BAG NJW 2009, 1990.

  40. 40.

    Ibid., para. 7.1. See also ibid., para. 35 et seq.

  41. 41.

    The introduction of a risk of civil liability seeks to ensure that any damage caused by unlawful processing receives appropriate compensation: see Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP169, 16 February 2010, 5. The German jurisprudence at times overlooks the preventive nature of damages: see BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 2.

  42. 42.

    See Article 2(e) of the (repealed) Data Protection Directive.

  43. 43.

    The contractual agreements between them could therefore provide for a ‘liability sharing’ clause, determining who will ultimately bear the cost of compensation; see BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 40. If such clause is missing, the national breach-of-contract provisions will apply and liability shall be shared according to the respective rules of each jurisdiction. Hence, processors are, as a rule, only indirectly liable for compliance obligations under Directive 95/46/EC.

  44. 44.

    And also for the determination of the law applicable and the responsibility to comply with the substantive provisions of the Data Protection Directive, see also Van Alsenoy (2012), 26. For guidance on how to apply the concepts of controller and processor see the opinion of the Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of ‘controller’ and ‘processor’, WP169, 16 February 2010.

  45. 45.

    Thus for Germany; see indicatively BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 41.

  46. 46.

    Thus for Germany; see Gola / Klug / Körffer (2015), BDSG § 7 para. 20.

  47. 47.

    Thus in Germany; ibid., para. 7.

  48. 48.

    See also ErfK/Franzen(2016), BDSG § 7 para. 1. For a German case in which the claimant failed to prove the causation between his damage and the data breach, see LG Bonn NJW-RR 1994, 1392.

  49. 49.

    See also Clifford / Van Der Sype (2016), 277 et seq. On the difficulties of proving causation and damage see also: European Union Agency for Fundamental Rights (2013), Access to data protection remedies in EU Member States, 28 et seq.

  50. 50.

    See for Germany indicatively Gola / Klug / Körffer (2015), BDSG § 7 para. 9.

  51. 51.

    See Korff (2002), 179 et seq.

  52. 52.

    Ibid., 180.

  53. 53.

    See e.g. the German approach, which takes into consideration the expected standard of care under the particular circumstances, whereby the more sensitive the information the higher is the standard of care and the existence of certification and quality-control mechanisms may also be taken into account; see BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 63 et seq.

  54. 54.

    See Article 23 L. 2472/1997: ‘1. Any natural person or legal entity of private law, who in breach of this law, causes material damage shall be liable for damages in full. If the same causes non pecuniary damage, s/he shall be liable for compensation. Liability subsists even when said person or entity should have known that such damage could be brought about. 2. The compensation payable according to article 932 of the Civil Code for non pecuniary damage caused in breach of this law is hereby set at the amount of at least two million Drachmas (GRD 2,000,000), unless the plaintiff claims a lesser amount or the said breach was due to negligence. Such compensation shall be awarded irrespective of the claim for damages.’ On the Greek Data Protection Law see also Mitrou (2010), Country Studies, A.5. Greece, 3 et seq.

  55. 55.

    See Gola / Klug / Körffer (2015), BDSG § 7 para. 12; BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 55 with further references, indicatively to Tremml / Karger / Luber (2013), para. 1047; references to the opposing opinion include Wächter (2014), para. 1053, and Scheja / Haag (2013), 5 para. 366.

  56. 56.

    See Palmer (2015); further explaining that the need for claimants to prove pecuniary loss as a prerequisite to claiming for distress has required significant evidential contortions in the past, see e.g. Johnson v MDU [2006] EWHC 321. In this case the claimant had brought an action against his old insurer for compensation under Section 13 of the Data Protection Act 1998 for unfair processing of his personal data. The claimant contended that he had a case against the risk manager who prepared materials for consideration by the risk management group: he had purportedly unfairly selected them, which led to termination of the claimant’s insurance coverage and great damage to his professional reputation. The Court held that the preparation of a summary by the risk manager was processing according to Section 1(1) of the DPA 1998 but that the unfair processing element had not caused the mutual society to terminate the claimant’s membership.

  57. 57.

    See Vidal-Hall v Google Inc, [2014] EWHC 13 (QB), Judgment of 16 January 2014.

  58. 58.

    Interestingly, the Court of Appeals also decided that browser-generated information (BGI) such as cookies constitute ‘personal data’. Google argued that BGI was anonymous information. The Court of Appeals examined first whether the BGI identified an individual by itself: on the basis of the Opinion issued by the Working Party 29 on the concept of personal data and the decision of the European Court of Justice in Lindqvist, the court stated that the correct approach may be to consider whether the data ‘individuates’ the individual (differentiates him from others) and that it is not necessary for the data to reveal information such as the actual name of the individual. Since the BGI told Google such information as the claimants’ unique IP address, the websites they were visiting, and even their rough geographic location, the Court of Appeal concluded that it is likely that the individuals were sufficiently individuated and that the BGI on its own constitutes ‘personal data’. See also Palmer (2015).

  59. 59.

    See para. 91 et seq. in the decision Vidal-Hall v Google Inc, [2014] EWHC 13 (QB); see also the court’s referral to the ECJ, Leitner v. TUI Deutschland Gmbh & Co KG, C-168/00, ECLI:EU:C:2002:163.

  60. 60.

    This is at times also sanctioned with criminal penalties. Criminal provisions are in some jurisdictions, such as Greece, considered to have the object of protecting the individual, hence can be used in conjunction with the general tort provisions for the substantiation of tort claims (namely with Article 914 of the Greece Civil Code).

  61. 61.

    See Article 9 of the French Civil Code, Loi 1803-03-08 (as amended and currently in force): ‘Chacun a droit au respect de sa vie privée. Les juges peuvent, sans préjudice de la réparation du dommage subi, prescrire toutes mesures, telles que séquestre, saisie et autres, propres à empêcher ou faire cesser une atteinte à l’intimité de la vie privée: ces mesures peuvent, s’il y a urgence, être ordonnées en référé.’

  62. 62.

    See Article 57 of the Greek Civil Code. See also Christodoulou (2013), para. 224.

  63. 63.

    The Federal Protection Act (BDSG) is considered a ‘protective provision’ as required by § 823(2) of the German Civil Code (BGB).

  64. 64.

    See indicatively for Germany ErfK/Franzen (2016), BDSG § 7 para. 1; BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 1.

  65. 65.

    See indicatively Articles 197-198 of the Greek Civil Code.

  66. 66.

    See indicatively for Germany Gola / Klug / Körffer (2015), BDSG § 7 para. 18.

  67. 67.

    See for Germany indicatively Gola / Klug / Körffer (2015), BDSG § 7 para. 16.

  68. 68.

    See for Germany BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 4 with reference to the case OLG Zweibrücken, Decision of 21.2.2013 – 6 U 21/12, JAmt 2013, 414.

  69. 69.

    Thus in Germany see Gola / Klug / Körffer (2015), BDSG § 7 para. 15.

  70. 70.

    See above, under 2.1.3. Compare also below, under 3.4.

  71. 71.

    Especially for patient personal data see also Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45) and in particular Article 4(2)(f)): ‘in order to ensure continuity of care, patients who have received treatment are entitled to a written or electronic medical record of such treatment, and access to at least a copy of this record in conformity with and subject to national measures implementing Union provisions on the protection of personal data, in particular Directives 95/46/EC and 2002/58/EC’.

  72. 72.

    This may be the case for some cloud-services providers: see Stylianou / Venturini / Zingales (2015), 11 et seq. On the cases of a number of EU Data Protection Authorities against Google see Voss (2014/2015). On the notion of cloud computing and its privacy risks see also Svantesson / Clarke (2010), 391 et seq.

  73. 73.

    See Franet Contractor, Ad Hoc Information Report, Data Protection: Redress mechanisms and their use, United Kingdom (2012), University of Nottingham Human Rights Law Centre.

  74. 74.

    See Section 7 of the UK Data Protection Act.

  75. 75.

    See Section 10 of the UK Data Protection Act. See also the 2011 High Court case Law Society v. Kordowski [2011] EWHC 3184 (QB), which held that the defendant’s processing on his website of the claimant’s personal data was in breach of the data-protection principles. A perpetual injunction under Section 10 of the UK Data Protection Act (prevention of data processing) was granted, ordering the defendant to cease processing the claimant’s personal data.

  76. 76.

    See Section 11 of the UK Data Protection Act.

  77. 77.

    See Section 12 of the UK Data Protection Act.

  78. 78.

    See Section 14 of the UK Data Protection Act. In the case Law Society v. Kordowski [2011] EWHC 3184 (QB) mentioned above, the court also issued an order under Section 14 of the UK Data Protection Act requiring the defendant to block, erase, and destroy all the data that was the subject of the claim.

  79. 79.

    See BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 3.

  80. 80.

    For Germany see indicatively ibid., § 11 and 11.1. See, however, BAG NJW 2009, 1990, 1996 with reference to a desist order on the basis of the application of § 7.

  81. 81.

    See art. 99 of Regulation 2016/679.

  82. 82.

    See art. 94 of Regulation 2016/679. See also Recital 171 of the Regulation, which further explains that ‘processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force. Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation. Commission decisions adopted and authorizations by supervisory authorities based on Directive 95/46/EC remain in force until amended, replaced or repealed’.

  83. 83.

    See also Eickelpasch (2016), 22 favoring an amendment of the national provisions of the German Data Protection Act (and the federal state laws) that are in conflict with the GDPR rules.

  84. 84.

    Critical on the many options of the GDPR which provide large room for maneuver in the Member States and their data-protection authorities, see Piltz (2016), 557. Considering that, in this respect, the GDPR is an ‘atypical hybrid between Regulation and Directive’, see Kühling / Martini (2016), 449.

  85. 85.

    See also Piltz (2016), 560 and the document of the Council 14732/14 of 24.10.2014, available at: http://data.consilium.europa.eu/doc/document/ST-14732-2014-INIT/en/pdf on the proposal of a ‘minimum harmonization’ clause (Article 1 para. 2a proposed by the Council), which would allow the Member States to introduce higher protection rules, and which was not included in the final text.

  86. 86.

    For Germany, see indicatively BeckOK DatenSR/Quaas (2013), BDSG § 7 para. 41. Although, of course, in practice, the controller and processor could allocate liability between them on the basis of their contractual agreements.

  87. 87.

    See also Van Alsenoy (2012), 26.

  88. 88.

    See also Article 26 of the GDPD about ‘joint controllers’.

  89. 89.

    See §§ 830 and 840 BGB. See also § 421 BGB.

  90. 90.

    See Articles 926-927 of the Greek Civil Code. See also Article 481 Greek Civil Code.

  91. 91.

    See De Hert / Papakonstantinou (2012), 142.

  92. 92.

    ‘Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.’

  93. 93.

    Compare Article 22 of the Data Protection Directive with the title ‘Remedies’: ‘Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question.’

  94. 94.

    The provision does not apply directly to the right of Article 82 for compensation, as is evident from the fact that Article 82(6) expressly refers to Article 79(2) for its application also with regard to Article 82 GDPR.

  95. 95.

    See Article 12 et seq. of the GDPR.

  96. 96.

    See Article 15 of the GDPR.

  97. 97.

    See Article 16 of the GDPR.

  98. 98.

    See Article 17 of the GDPR (the so-called right to be forgotten).

  99. 99.

    Such right was included in the Data Protection Directive only with regard to the supervisory authorities, see Article 28 para. 4: ‘Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim’.

  100. 100.

    Interestingly, Article 80(2) goes on to introduce the possibility for Member States to ‘provide that any body, organization or association referred to in paragraph 1 of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing’ (emphasis added).

  101. 101.

    See Article 79(2) of the GDPR.

References

  • Christodoulou, K. (2013), Data Protection Law (Dikaio Prosopikon Dedomenon), 2013 Nomiki Vivliothiki

    Google Scholar 

  • Clifford, D. / Van Der Sype, Y.S. (2016), Online dispute resolution: Settling data protection disputes in a digital world of customers, 32 Computer Law & Security Review 272, Elsevier

    Google Scholar 

  • De Hert, P. / Papakonstantinou, V. (2012), The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals, 28 Computer Law and Security Review 130, Elsevier

    Google Scholar 

  • Van Dijk, N. / Gellert, R. / Rommetveit, K. (2016), A risk to a right? Beyond data protection risk assessments, Computer Law & Security Review 32 (2016), 286, Elsevier

    Google Scholar 

  • Eickelpasch, J. (2016), Die neue Datenschutzgrundverordnung, 9/2016 Kommunikation & Recht 21, Fachmedien Recht und Wirtschaft

    Google Scholar 

  • Foresman, A.R. (2015), Once More Unto the [Corporate Data] Breach, Dear Friends, 41:1 The Journal of Corporation Law 343, The University of Iowa

    Google Scholar 

  • Franzen, M. (2016), BDSG § 7 Schadensersatz, in: T. Dieterich / P. Hanau / G. Schaub / R. Müller-GlÖge / U. Preis / I. Schmidt (Eds.), Erfurter Kommentar zum Arbeitsrecht, 16. Auflage 2016, C.H. Beck (cited: ErfK/author)

    Google Scholar 

  • Gola, P. / Klug, C. / Körffer, Barbara (2015), BDSG § 7, in: P. Gola / R. Schomerus (Eds.), Bundesdatenschutzgesetz, 12. Aufl. 2015, C.H. Beck

    Google Scholar 

  • Kanellopoulou-Mboti, M. (2016), Data protection breach sanctions (Kiroseis apo tin prosboli prosopikon dedomenon), in: Kotsalis, L. (Ed.), Personal Data (Prosopika Dedomena), 403-419, Nomiki Bibliothiki 2016

    Google Scholar 

  • Korff, D. (2002), EC Study on Implementation of Data Protection Directive – Comparative Study of national laws, Human Rights Centre, University of Essex, available at: http://194.242.234.211/documents/10160/10704/Stato+di+attuazione+della+Direttiva+95-46-CE Kranenborg, H. (2015), Google and the Rights to Be Forgotten, 1 European Data Protection Law Review, 70

  • Kühling, J. / Martini, M. (2016), Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen und deutschen Datenschutzrecht? Europäische Zeitschrift für Wirtschaftsrecht 2016, 448

    Google Scholar 

  • LRDP Kantor Ltd, Centre for Public Reform (2010), Comparative Study on different approaches to new privacy challenges in particular in the light of technological development, Final Report (20 January 2010), available at: http://ec.europa.eu/justice/data-protection/document/studies/files/new_privacy_challenges/final_report_en.pdf

  • Mitrou, L. (2010), Comparative Study on Different approaches to new privacy challenges, in particular in the light of technological developments, Country Studies, A.5. Greece, Final edit – May 2010, 3 et seq., available at: http://ec.europa.eu/justice/data-protection/document/studies/files/new_privacy_challenges/final_report_country_report_a5_greece.pdf

  • Palmer, G. (2015), UK - Google v Vidal-Hall (2015), A green light for compensation claims?, available at: http://www.linklaters.com/Insights/Publication1403Newsletter/TMT-News-June-2015/Pages/UK-Google-Vidal-Hall-green-light-compensation-claims.aspx

  • Piltz, C. (2016), Die Datenschutz-Grundverordnung, 9/2016 Kommunikation & Recht 557, Fachmedien Recht und Wirtschaft

    Google Scholar 

  • Poullet, Y. (2006), The Directive 95/46/EC: Ten years after, 22 Computer Law & Security Report 206, Elsevier

    Google Scholar 

  • Quass, S. (2013), BDSG § 7, in: H.A. Wolff / S. Brink (Eds.), Kommentar Datenschutzrecht, 11. Edition, 2013, C.H. Beck (Beck Online) (cited: BeckOK DatenSR/Quass)

    Google Scholar 

  • Robinson, N. / Graux, H. / Botterman, M. / Valeri, L. (2009), Review of the European Data Protection Directive, (2009), Technical Report, available at: http://www.rand.org/content/dam/rand/pubs/technical_reports/2009/RAND_TR710.pdf

  • Robinson, G. (2012), Data protection reform, passenger name record and telecommunications data retention: Mass Surveillance Measures in the E.U, and the Need for a Comprehensive Legal Framework, 95 Critical Quarterly for Legislation and Law 394, Nomos Verlagsgesellschaft mbH

    Google Scholar 

  • Sartor, G. (2013), Provider’s liabilities in the new EU Data Protection Regulation: A threat to Internet freedoms?, 3 International Data Privacy Law, 3, Oxford Journals

    Google Scholar 

  • Scheja, G. / Haag, N.C. (2013), Teil 5, in: A. Leupold / S. Glossner (Eds.), Münchner Anwaltshandbuch IT-Recht, 3. Aufl. 2013, C. H. Beck

    Google Scholar 

  • Stylianou, K. / Venturini, J. / Zingales, N. (2015), Protecting user privacy in the Cloud: analysis of terms of service, 6 European Journal of Law and Technology, 1, available at: http://ejlt.org/article/view/462/593

  • Svantesson, D. / Clarke, R. (2010), Privacy and consumer risks in cloud computing, 26 Computer Law & Security Review, 391, Elsevier

    Google Scholar 

  • Tremml, B. / Karger, M. / Luber, M. (2013), Der Amtshaftungsprozess, 4. Aufl. 2013, Vahlen

    Google Scholar 

  • Van Alsenoy, B. (2012), Allocating responsibility among controllers, processors, and ’everything in between’: the definition of actors and roles in Directive 95/46/EC, 28 Computer Law & Security Review 25, Elsevier

    Google Scholar 

  • Voss, W.G. (2014/2015), European Union Data Privacy Law Developments (December 2014), Business Lawyer, Vol. 70, No. 1, 2014/2015, American Bar Association, available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2572948

  • Wächter, M. (2014), Datenschutz im Unternehmen, 4. Aufl. 2014, C.H. Beck

    Google Scholar 

  • Wright, D. / De Hert, P. (2012), Privacy impact assessment, media 2012, Dordrecht - Springer Netherlands

    Google Scholar 

Additional Sources

Download references

Author information

Authors and Affiliations

  1. Athens University for Economics and Business, Athens, Greece

    Emmanuela Truli

Authors
  1. Emmanuela Truli
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Emmanuela Truli .

Editor information

Editors and Affiliations

  1. Max Planck Institute for Innovation and Competition, Munich, Germany

    Mor Bakhoum

  2. Max Planck Institute for Innovation and Competition, Munich, Germany

    Beatriz Conde Gallego

  3. Max Planck Institute for Innovation and Competition, Munich, Germany

    Mark-Oliver Mackenrodt

  4. Faculty of Law, Vilnius University, Vilnius, Lithuania

    Gintarė Surblytė-Namavičienė

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Truli, E. (2018). The General Data Protection Regulation and Civil Liability. In: Bakhoum, M., Conde Gallego, B., Mackenrodt, MO., Surblytė-Namavičienė, G. (eds) Personal Data in Competition, Consumer Protection and Intellectual Property Law. MPI Studies on Intellectual Property and Competition Law, vol 28. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-57646-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-57646-5_12

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-57645-8

  • Online ISBN: 978-3-662-57646-5

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation