Allocation and limitation of liability in data processor
Allocation and limitation of liability in data processor agreements 2017 -10 -24 Nordic Privacy Arena
The ”What if? ” problem • Violations of the GDPR can lead to damages and sanction fees of up to 4 % of turnover or 20 m. EUR. • What if a data processor causes a data controller to violate the GDPR? • What if a data controller causes a data processor to violate the GDPR? 2
The ”natural” solution • Data controller’s point of view: • Impose obligation on the data processor to not do anything that makes the controller breach the GDPR • Impose unlimited liability on the data processor for incurred damages and sanction fees • Data processors point of view: • Fight for a liability cap! • Result: long negotiations and risk premiums 3
Is this really a problem? • Can the parties cause each other to breach their regulatory obligations? • If the data controller breaches its GDPR obligations, the damages sanction fees will be imposed on the controller • If the data processor breaches its GDPR obligations or the data processor agreement, the damages and sanction fees will be imposed on the data processor • Neither party will be liable for actions that they could not control or influence (art 82. 3 4
Looking at article 28 • 28. 1: obligation on data controller to only use processors that can give sufficient warranties • 28. 2: obligation on data processor regarding use of subprocessors • 28. 3: obligation on data controller to ensure a written data processor agreement with certain content • 28. 10: if the data processor decides the purpose of means of the processing, it should be considered to be a data controller • Neither party can cause the other to breach these obligations 5
Looking at the data processor agreement • Assume it is compliant with article 28 • Could the data processor, by breaching its contractual obligations, make the data controller breach the GDPR? No • Could the data controller make the data processor break its GDPR obligations? No • Could the data controller make the data processor breach the data processor agreement? No • Neither party can, in the data processor agreement, cause the other to breach their regulatory obligations 6
Another possibility • What if the data controller has imposed a contractual obligation on the data processor to fulfill some of the data controller’s regulatoryobligations? • Privacy by design • Privacy notices to data subjects • In this scenario the data processor can make the data controller breach the GDPR • But this is not a question for the data processor agreement 7
Are limitations of liability always irrelevant? • Not in the scenario of contractual transfer of fulfillment of regulatory obligations (previous slide) • What about article 82. 4 and. 5 situations? • How could a party convincingly argue for a limitation of liability here? • That would be to let the other party carry the risk for your own breaches of the GDPR or the data processor agreement? 8
Conclusion • This is not a problem in data processor agreements • Stop fighting and spend time on something more valuable 9
David Frydlinger Partner david. frydlinger@lindahl. se +46 766 17 09 85 10
- Slides: 11