The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Q: Are processors required to fully indemnify controllers for the actions of their sub-processors and subcontractors?
Answer: Yes.
The GDPR imposes two requirements when a company uses a service provider.
The first requirement is controllers must “bind[]” every service provider to, at a minimum, the thirteen substantive requirements found in Article 28 concerning the data that will be processed on behalf of a controller. Of those requirements only one addresses liability. Article 28(4) provides that a service provider must remain fully liable to the controller for the performance of a subprocessors’ obligations.1 It is important to note that this requirement of “full liability” for the performance of subprocessors may not need to be codified in the agreement between a controller and a processor. Specifically, Article 28 is structured such that the requirements of Article 28(3) must be included in the contract between the parties. Article 28(4), on the other hand, does not state that the controller-processor contract must include “full liability” language. The net result is that a processor must be liable for the performance of its subprocessors, but that liability does not need to be codified in the contractual relationship. If you are a controller, however, you will want to require that the data processing agreement expressly state that the processors will remain “fully liable” for each subprocessor’s failure to fulfill its obligations thereunder in relation to the processing of any personal data.
The second requirement is that if a controller is based in the European Union and is transferring personal data to a processor that is based outside of the European Union, the parties must take steps to ensure that the jurisdiction to which the data is going affords the data “an adequate level of protection.”2 The United States, for example, is not considered to be a country that affords an adequate level of protection. Most companies satisfy this requirement by adopting contract provisions that have been pre-approved by the European Commission as guaranteeing an “adequate level of protective,” i.e., the Standard Contractual Clauses (“SCC”). Clause 11(1) of the controller-to-processor SCC provides that in the event the subprocessor fails to fulfill its data protection the processor shall remain “fully liable” to the controller for the performance of the sub-processor’s obligations. The SCC provide that the parties shall not vary or modify the clauses. Accordingly, companies utilizing the SCC are required to include this language holding processors liable for the performance of their subprocessors.
[View source.]
