Data processors and controllers can receive administrative fines for non-compliance from supervisory authorities. These fines can be assigned together with or instead of other measures imposed by the authorities.
Data processors are liable only in the situation where they have not complied with the GDPR obligations specific to processors, or when they have breached the data controller’s instructions.
Data controllers, on the other hand, are liable as a consequence of the damage caused through non-GDPR- compliance. The claims against a processor under GDPR must provide more than information on general non-compliance and proof of damage, but also proof that the processors have violated a specific legal duty or contractual obligation.
If fines for non-compliance are established, it is the controllers and processors’ turn to prove they are not responsible for the damage. In the situation when they are caught in the same juridical action, the liability can be divided among them according to their share in the harm. The only condition for this is that the data subject is fully compensated. If one of the parties (controller or processor) paid the whole compensation to the data subject, he is entitled to claim back the part for which he is not responsible. It is not mandatory that fines are applied, but rather discretionary.
The chosen approach regarding fines is a two-tiered one, depending on the gravity, duration and nature of the infringement: