Under the GDPR, every data controller that processes personal data through a data processor must conclude a GDPR-compliant data processing agreement with the processor. Parties may seek to negotiate the allocation of liability and shift it towards the other party. When doing this in Romania, we look at the interplay with the rules of the main forms of liability set out in the law.
According to the GDPR, anyone who has suffered material or non-material damage from an infringement of the GDPR is entitled to ask for compensation from the controller or processor. Controllers are fully liable, while processors are liable only for damage caused by their failure to comply with legal obligations or where they acted outside of or contrary to the controller's instructions. Controllers and processors are jointly liable.
Parties will always be interested in reducing or containing their liability. Controllers will not hesitate to pass on liability to their counterparties via contractual provisions, though it remains to be seen whether contractual liability allocation clauses can be applied. While Romanian law allows them, generally, liability for damages caused intentionally or due to gross negligence generally cannot be waived. A contractual limitation or exclusion of liability towards data subjects or public authorities would in any case not be acceptable in practice.
Rules of allocation
Liability for misdemeanours and for violations to the law is personal and cannot be transferred. The same is true for liability for tort. In this case, controllers would be deemed liable for the actions of the persons that they supervise and control (processors usually fall into this category). However, this does not mean that the financial impact of the liability cannot be allocated to the other party contractually. A processor that does not follow the controller's instructions would be responsible for an offence and would take on the entire fi-nancial burden of the respective liability. This also applies, in a slightly different way, in circumstances of liability for tort. It also should be valid for processors that do not observe their obligations under the GDPR. It can further be argued that a processor that does not observe its legal obligations (other than those provided for in the GDPR) should assume the financial liability for this failure and the ensuing loss or damages caused to the controller as contractual indemnity to the controller. It is worth investigating if these limits can be pushed even further. Parties can rely on their contractual freedom to establish a more onerous liability regime for one of them, within the limits set out above on damages caused intentionally or out of gross negligence.
Liability clauses in practice
Practice is as yet not very developed. Liability provisions in data processing agreements range from general, standard liability clauses (which must be interpreted for enforcement against the liability allocation rules in the GDPR) to clauses expanding on the processor's liability as described above. We have also seen cases where the data processor caps its liability towards the controller, meaning the controller will not be able to recover the entire damage/fine paid as a result of the processor's actions. Of course, such protection is not bulletproof. If the breach is due to gross negligence or intention, the limitation will not apply.
Some other liability clauses provide that the processor will reimburse the controller for any third-party claims and for any official sanctions as a result of the processor's actions. This may be extensive and could be rendered inapplicable.
Enforcement of liability allocation provisions
Parties to data processing activities will be held jointly liable for damages caused by their processing. Contracts are enforceable and take effect only between the signing parties; therefore, third parties (i.e. data subjects, the data protection authority) cannot be bound by liability clauses agreed by the controller and data processor. Controllers may only request reimbursement of damages paid from the processor. In case of litigation, controllers may request that the processor be a party in the litigation process and the court may eventually oblige the processor to pay damages or fines relying on the contractual provisions allocating liability.
This article was co-authored by Carla Filip.
This article was up to date as at the date of going to publishing on 10 December 2018.