Lexicon > Class action
IT Lexicon
Class action
In order to enforce its personal data protection provisions and as data breaches usually affect several data subjects, the GDPR (Regulation 2016/679) introduces the possibility of conducting group/class actions.
The class action allows several data subjects who have suffered damages in connection with the processing of their personal data to bring joint claims against the controller or processor concerned.
It aims to stop the damage caused by the failure of a controller or processor to comply with the GDPR and/or to engage their responsibility in order to obtain compensation for the material and moral damage suffered by the data breach.
However, in France, only one of the following organizations is authorized to bring a class action before the courts (Article 37 of the Data Protection Act):
- Privacy and data protection associations that have been registered for at least 5 years;
- Nationally approved consumer protection associations;
- Representative unions of employees or civil servants.
These associations and unions initiate the group action on behalf of all persons affected by the data breach, and thus claim damages on their behalf to compensate for the harm suffered.
The group action can only be brought after the controller or processor at the origin of the complaint has been put on notice data breach to cease or cause the breach to cease or to make good the damage suffered, and after the expiry of a period of four months from the receipt of such formal notice.
The conditions for exercising group actions may differ from one Member State to another.
Thus, while in the Netherlands, associations will be systematically assessed at an early stage of the procedure (finally, experience, governance…), in the United Kingdom all associations that meet the conditions of Article 80 of the GDPR are allowed to act.
Consequently, it is important to choose the Member State in which to bring the group action (place of residence of the data subject or place of establishment of the controller or processor).
RGPD Point
“The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.”
Article 80(1) of the GDPR
The Bouchara Law firm assists you in particular in :
- Legal analysis of your injury in connection with the data breach;
- Legal analysis of the feasibility of a group action before the European supervisory authorities and/or the courts of the European Union Member States;
- The drafting and management of letters of formal notice, which are essential before the introduction of a class action;
- Managing your class action (if you are an association or union);
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
We are also the external Data Protection Delegate for many data processors and subcontractors.