Who is liable for damages suffered by data subjects?