Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
Paragraph 2:
Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation
Article 24, paragraph 1:
**[T]he controller shall **implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
Article 5, paragraph 1f:
Personal data shall be: […] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss,
Article 83, paragraphs 2 and 5:
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
Article 4, paragraph 7:
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Article 82, paragraph 1 of the GDPR:
Paragraph 2:
Article 24, paragraph 1:
Article 5, paragraph 1f:
Article 83, paragraphs 2 and 5:
Article 4, paragraph 7:
(All quotes are excepts, emphasis mine
https://gdpr-info.eu/
I think we can both guess why these companies never really face penalties that hurt them materially despite this being codified into law in the EU…
I got lost in the comments… why did you paste that here? To show that it is possible to make the data controller liable for breaches?
Exactly. This is supposed to show that what @demesisx@infosec.pub demands is already law in the EU.