GDPR (the EU General Data Protection Regulation) requires, among many other things, that there be a contract between any data controller and data processor that covers “the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.” (Here is our explanation of who is a data controller and who is a data processor. If you are a business, you are at least one, and quite possibly both.)
[See here for a quick overview of why you need to comply with GDPR even if you are not in the EU.]
The sections of GDPR controlling contracts and liability are detailed, numerous, and provided below. Here, however, for purposes of this discussion, is the thing that you need to know above all else:
If a data processor to whom the data controller provides personal data for processing is not, in fact, GDPR-compliant, and as a result an individual’s personal data is handled in a way not in compliance with GDPR, and the individual suffers damages, the DATA CONTROLLER is as liable for that breach as is the processor.
(Again, see here for our explanation of who is a data controller and who is a data processor.)
For example, if you upload your email mailing list (email addresses are personal data) to an email service provider, and the email service provider experiences a data breach such that the email addresses on your mailing list are exposed, and if even one person on your mailing list, as a result, suffers damages attributable to that breach – you are liable.
Let that sink in for a moment.
Ok, has it sunk in?
YOU are legally on the hook for the damages under GDPR suffered by that individual whose email address you uploaded to the email service provider, even though it was the email service provider who was not compliant with GDPR, and who experienced the breach.
And let’s not forget just how hefty the fines are (which are in addition to whatever damages the individual suffered). GDPR provides for fines of up to 20million euros or 4% of a businessâ€™ gross annual worldwide income, whichever is higher.
This is just one of a myriad of examples one can come up with, especially given how broadly GDPR defines “personal data”. Article 4(1) of GDPR defines personal data as “any information relating to an identified or identifiable natural person (â€˜data subjectâ€™); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
So, name, address, email address, telephone number, data of birth, social security number, salary, location, IP address, and on and on.
Any time you provide anybody’s personal data to a third-party for ‘processing’, you are at risk for liability.
For this reason, it is critical that for any relationship that your business has where you are either providing someone’s personal data to a third party, or a third party is providing someone’s personal data to you, you rework your contracts to make sure you are as covered as possible with respect to GDPR liability (and if you don’t have a contract at all between you, you must put one in place ASAP).
The Two Things that All Service and Other Business Contracts Must Have to Protect Yourself from GDPR Liability
There are two things that all service and other business contracts must have, whether you originate the contract or the other party originates the contract, in order to protect yourself as much as possible from GDPR liability. Those two things are:
- Recitals of GDPR compliance
- An indemnification clause
GDPR itself requires the recitals of GDPR compliance.
However, GDPR is essentially silent on the matter of indemnification clauses, and perhaps, some would argue, rightly so. After all, GDPR assigns liability, what does the law care where the money comes from or whether you, as the data controller, are able to get reimbursed by a non-compliant data processor.
Below are the sections of GDPR that create this potential liability nightmare. They are Article 28 and Article 82 (which some have taken to calling the ‘palindromic evil twins’ of GDPR).
What You Should Do Right Now to Protect Yourself
There are plenty of situations in running a business that do not require the touch of a lawyer, however drafting or modifying contracts is an undertaking that really needs to be done by a legal professional; it really is the case that something as simple as, for example, the placement of a comma, can make all the difference in how, during a lawsuit, a contract will be interpreted. Something this seemingly insignificant can (and often does) contribute to determining who ends up prevailing in such a lawsuit.
This is truly a situation where leaving it to the professionals can save you hundreds of thousands of dollars, not to mention the aggravation of a lawsuit. In fact, the better honed the contract, the more likely it is to ward off a lawsuit altogether.
So, get together with your in-house attorney, corporate counsel, or business lawyer ASAP, have them read this article and the below text of the relevant sections of GDPR, and have them modify (or create) your contracts to GDPR-proof them as much as possible.
We can also help you with that if your own attorney is not very familiar with GDPR, or if you don’t have one. If you’d like us to help you get your contracts in compliance with GDPR and GDPR-proof them, contact us here.
Article 28 of GDPR
1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
(b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) takes all measures required pursuant to Article 32;
(d) respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
(e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III;
(f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
(h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.
5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
Article 82 of GDPR
Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).