Liability under EU Data Protection Law: From Directive 95/46 to the General Data Protection Regulation Van Alsenoy Brendan This article analyses the liability exposure of organisations involved in the processing of personal data under European data protection law. It contends that the liability model of EU data protection law is in line with the Principles of European Tort Law (PETL), provided one takes into account the “strict” nature of controller liability. After analysing the liability regime of Directive 95/46, the article proceeds to highlight the main changes brought about by the General Data Protection Regulation. Throughout the article, special consideration is given to the nature of the liability exposure of controllers and processors, the burden of proof incumbent upon data subjects, as well as the defences available to both controllers and processors. Data protection Directive 95/46 GDPR General Data Protection Regulation PETL Principles of European Tort Law controller liability processor 340 periodical academic journal JIPITEC 7 3 2017 271 288 2190-3387 urn:nbn:de:0009-29-45064 van alsenoy2017