To the extent that contract law does not fall within the exclusive competence of the European Union, the GDPR does not directly address the question of contractual liability between the parties, even if it outlines the provisions of a data processing agreement.
The CNIL, which published a GDRP Guide for Processors in September 2017, also fails to provide a clear answer on this topic (1).
GDPR and liability cap: a reminder of the key provisions
Article 28 of the GDPR imposes very clear obligations on the controller and the processor, which must be set out in the contract to be entered between them (2).
Article 82 of the GDPR, focused on “Right to compensation and liability”, contains provisions that directly influence the liability of the parties. On the one hand, it draws two lines that neither party can cross. In particular, there can be no exclusion of liability:
- towards the data subjects;
- towards the supervisory authority imposing a penalty.
On the other hand, it states that either party may exclude their liability if “it is not in any way responsible for the event giving rise to the damage”. Moreover, if a party has borne all or part of the compensation paid to the data subject, that party is entitled to claim back from the other controllers or processor involved in the same processing so that the burden is shared up to their respective part of responsibility in the damage.
The above provisions are fundamental as the financial risk towards the data subjects is substantial and will be further increased by the introduction of class actions (3).
GDPR and liability cap: the freedom of contract
Subject to the above provisions, the parties are free to opt for one or more of the following liability systems in their contract:
- full liability towards the data subject if the fault is exclusively attributable to one of the parties;
- a limitation of liability, applicable between them only and proportionate to the risk, without this depriving their contract of its essence;
- a mechanism for guaranteeing between them the risks towards the data subject, where applicable according to specific caps, including an irrevocable waiver of discussion (the party required to pay must do so) or of division (each party must pay only in proportion to its share of responsibility);
- a system of proof (best efforts obligation, performance obligation) adapted to the nature of the service concerned;
- a system of conciliation or ad hoc mediation.
All in all, the question of liability caps under the GDPR is thorny topic that requires discussion between the parties in order to find a solution that is reasonable and appropriate to the risk.
- CNIL’s Guide for Processors in French and in English September 2017
- Cloud Contracts: Impacts of GDPR on Processors, 7-8-2017
- French GDPR Implementation Bill (Projet de loi relatif à la protection des données personnelles) Doc. Ass. nat. n° 490, 13-12-2017
Article provided by
Eric Le Quellenec, Lawyer, Head of the IT Advisory department Lexing Alain Bensoussan Avocats
Eric Le Quellenec is a lawyer in Paris (France). A specialist in new technologies, information technology and communications law, Eric Le Quellenec is the Head of the IT Advisory department, where he also provides litigation services. He holds a Master 2 in business law (DJCE) and studied at the University of Ottawa (Canada). Having a solid experience in GDPR, he is leading the compliance programme of worldwide automotive and agribusiness groups.
He is the exiting Vice-President of the Young Lawyers Association of Paris (Union des Jeunes Avocats de Paris – UJA), and previously chaired the new technologies and prospective commission of the French federation of young lawyers associations (Fédération des Unions des Jeunes Avocats de France - FNUJA). He has been appointed expert for the business and IT commissions of the French Bar Association (CNB).