Skip to main content

Article 28 — Remedies and Sanctions

  1. The supervisory authority may impose the following sanctions for infringement of this Code:
    1. a formal warning, in the case of a first infringement where the infringement is non-intentional and of minor gravity, requiring the controller or processor to bring its processing operations into compliance with this Code;
    2. an order to bring processing operations into compliance with this Code within a specified period not exceeding sixty days, with the possibility of extension in exceptional circumstances at the discretion of the supervisory authority;
    3. a temporary limitation on or suspension of processing for a specified period, where the supervisory authority determines that continued processing poses a significant risk to the rights and freedoms of data subjects;
    4. a definitive ban on processing, in whole or in part, where a temporary measure has proven insufficient or where the gravity of the infringement so warrants;
    5. an order to rectify, erase, or restrict personal data, and to notify such action to each recipient to whom the data have been disclosed, in accordance with Chapter 2 of Title II of this Code.
  2. For serious, repeated, or intentional infringements, the supervisory authority may, in addition to or in lieu of the sanctions referred to in paragraph 1, impose the following measures:
    1. the revocation of any licence, authorisation, accreditation, or recognition granted to the controller or processor under the laws or decrees of the Principality;
    2. public censure, by means of a public statement identifying the controller or processor and describing the nature and gravity of the infringement, published in the Official Gazette and on any official digital platform of the Principality.
  3. Any natural or legal person who has suffered material or non-material damage as a result of an infringement of this Code shall have the right to receive compensation from the controller or processor responsible for the infringement. For the purposes of this paragraph, non-material damage includes distress, loss of privacy, reputational harm, and any other form of prejudice that is not purely pecuniary in nature.
  4. A controller involved in processing shall be liable for any damage caused by processing that infringes this Code. A processor shall be liable for damage caused by processing only where:
    1. it has not complied with obligations of this Code that are specifically directed to processors; or
    2. it has acted outside or contrary to the lawful instructions of the controller.
  5. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and are responsible for damage caused by that processing, each shall be held jointly and severally liable for the entire damage, in order to ensure effective compensation of the data subject. A controller or processor that has paid full compensation for the damage suffered may subsequently bring a claim for contribution against the other controllers or processors involved in the same processing, in proportion to their respective responsibility for the damage.
  6. A controller or processor shall be exempt from liability under paragraphs 3 to 5 if it proves that it is not in any way responsible for the event giving rise to the damage. The burden of proof shall rest with the controller or processor claiming exemption.
  7. In determining the sanction to be imposed under paragraphs 1 and 2, the supervisory authority shall take into account all relevant circumstances, including:
    1. the nature, gravity, and duration of the infringement;
    2. the intentional or negligent character of the infringement;
    3. the categories of personal data affected;
    4. the number of data subjects affected;
    5. any action taken by the controller or processor to mitigate the damage suffered by data subjects;
    6. any relevant previous infringements by the controller or processor;
    7. the degree of cooperation with the supervisory authority;
    8. the manner in which the infringement became known to the supervisory authority, including whether and to what extent the controller or processor notified the infringement.
  8. The imposition of sanctions under this Article shall be without prejudice to the right of the data subject to seek additional remedies available under the laws of the jurisdiction in which the data subject is resident or in which the damage occurred.