(1) A person who suffers damage by reason of a contravention of a requirement of the data protection legislation, other than the UK GDPR, is entitled to compensation for that damage from the controller or the processor, subject to subsections (2) and (3).
(2) Under subsection (1) -
(a) a controller involved in processing of personal data is liable for any damage caused by the processing, and
(b) a processor involved in processing of personal data is liable for damage caused by the processing only if the processor -
(i) has not complied with an obligation under the data protection legislation specifically directed at processors, or
(ii) has acted outside, or contrary to, the controller's lawful instructions.
(3) A controller or processor is not liable as described in subsection (2) if the controller or processor proves that the controller or processor is not in any way responsible for the event giving rise to the damage.
(4) A joint controller in respect of the processing of personal da
…