The controller or the processor that, as a result of carrying out their activity of processing personal data, cause material, moral, individual or collective damage to others, in violation of legislation for the protection of personal data, are obligated to redress it.
§1 In order to ensure the actual indemnification to the data subject:
I – the processor jointly answers for the damages caused by the processing when they do not comply with the obligations of data protection legislation or when she/he has not followed controller’s lawful instructions, in which case the processor is deemed equivalent to the controller, except in cases of exclusion as provided in Art. 43 of this Law;
II – controllers who are directly involved in the processing from which damages resulted to the data subject shall jointly answer, except in cases of exclusion as provided in Art. 43 of this Law.
§2 The judge, in a civil lawsuit, may reverse the burden of proof in favor of the data subject when, at her/his discretion, the allegation appears to be true, there are no funds for the purpose of producing evidence or when production of evidence by the data subject would be overly burdensome.
§3 Lawsuits for compensation for collective damages, the objective of which is liability pursuant to the terms of the lead sentence of this article, may be filed collectively in court, subject to the provisions of pertinent legislation.
§4 Anyone who pays compensation for damage to the data subject has the right of recourse against other liable parties, to the extent of their participation in the damaging event.