Regulation by the citizen: rights, remedies, representation and compensation
Citizens are the 'second line of defence' - and the ~500 million citizens across the EU and UK are massive enforcement firepower. The GDPR gives individuals choices: exercise their rights against the controller, complain to a DPA, or litigate in court - or pursue several at once. Key articles: Article 77 (complaints), Article 79 (judicial remedy against controllers/processors), Article 78 (remedy against a DPA), Article 80 (representative actions), Article 82 (compensation for material or non-material damage).
The GDPR does not require an individual to use their data subject rights against a controller before complaining to a DPA or going to court - they can take either path directly, or both at once. In reality, complaining to a regulator is the low-risk, preferred option, because litigation is expensive and, in some countries (e.g. the UK), the loser can be ordered to pay the winner's costs.
| Article | Remedy | Key feature / forum |
|---|---|---|
| 77 | Complaint to a DPA | Individual may choose the DPA for their residence, place of work, or place of the infringement |
| 78 | Judicial remedy against a DPA | Used where a DPA decision affects you, or it fails to act / decide within three months |
| 79 | Judicial remedy against a controller/processor | Home court or court of establishment; available alongside a DPA complaint |
| 80 | Representative action (CSO) | A not-for-profit represents one or more individuals; member states may allow this without a mandate |
| 82 | Compensation | Material or non-material damage; non-material includes distress |
The phrase material or non-material damage in resolves old ambiguity (settled in the UK by Vidal-Hall): damage clearly includes distress and other non-pecuniary harm. Recital 146 says 'damage' should be interpreted broadly. Where multiple parties are at fault, any responsible controller/processor can be liable for all the damage and then seek indemnities.