GDPR’s Most Frequently Asked Questions: Are processors required to fully indemnify controllers for all of their processing actions?

April 15, 2019

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Q: Are processors required to fully indemnify controllers for all of their processing actions?

Answer: The GDPR is unclear.

The concept of processor liability is discussed within at least three legal sources.

First, Article 28(4) of the GDPR states that a service provider must “remain fully liable” to a controller for “the performance” of its subprocessors’ “obligations.”1  It is important to note that this requirement of “full liability” for the performance of subprocessors may not need to be codified in the agreement between a controller and a processor.  Specifically, Article 28 is structured such that the requirements of Article 28(3) must be included in the contract between the parties.  Article 28(4), on the other hand, does not state that the controller-processor contract must include “full liability” language.  The net result is that a processor must be liable for the performance of its subprocessors, but that liability does not need to be codified in the contractual relationship.  It’s also unclear whether supervisory authorities and courts will interpret liability for the “performance” of an obligation as indicating that the processor is liable for any damages caused by a subprocessors performance, or is simply liable for ensuring that the processing is performed by the subprocessor.

Second, a similar requirement concerning liability for the actions of subprocessors can be found within the Standard Contractual Clauses (“SCC”).  The SCC for transfers from a controller to a processor are one of three mechanisms for transferring data from a controller in the European Economic Area to a processor that is neither located in the EEA, or in a country deemed to have laws that provide the same types of protections as the GDPR.  Clause 11(1) of the controller-to-processor SCC provides that in the event the processor uses a subprocessor, and the subprocessor fails to fulfill its data protection obligations, the processor shall remain “fully liable” to the controller for the performance of the subprocessor’s obligations.  As with Article 28(4), Clause 11(1) of the SCC does not provide that processors must indemnify controllers for liability arising from their own actions, nor does it specify whether the liability referred to is for damages caused by the subprocessor or simply the performance of the agreed to processing activity.

Third, Article 82 of the GDPR states that “any person who has suffered material or non-material damage as a result of an infringement” by a processor of the regulation may receive compensation from that processor for the “damage suffered”2 and that a “processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.”3  It is not clear whether the reference to a “person” in this section of the GDPR is intended to encompass natural persons (i.e., data subjects) or natural persons and legal entities (i.e., data subjects, and controllers).  As a result, Article 82 may not require that a processor be “fully liable” for direct damages suffered by a controller as a result of its processing.  If a data subject successfully obtains damages against a controller for the unlawful processing of a processor, the controller is permitted to “claim back from the . . . processors involved in the same processing that part of the compensation corresponding to [the processor’s] part of responsibility for the damage . . . .”4 The GDPR is silent as to whether the ability of a controller to claim contribution for third party damages can be waived, capped, or limited by contract.

The net result is that while the GDPR does not require that a processor contractually assume any liability, processors that enter into the SCCs must, at a minimum, assume liability for the “performance” of processing assigned to subprocessors.   It remains to be seen whether the GDPR permits a controller to seek damages for any first party harm it incurs as a result of a processor’s violation of the regulation, or prevents the parties from limiting the ability of the controller to seek indemnification for first party damages, or third party liabilities.

1. GDPR, Article 28(4).

2. GDPR, Article 82(1).

3. GDPR, Article 82(2).

4. GDPR, Article 82(5).