[co-author: Ali Umutlu]
In a decision on immaterial damages under Article 82 of the EU General Data Protection Regulation (GDPR), the Higher Regional Court of Dresden, Germany (case number 4 U 940/24), set out important monitoring and auditing obligations of controllers with respect to their processors.
The controller (defendant) operates an online music streaming service; the plaintiff is a customer of this service. The case was triggered by a data breach in November 2022 at a former processor of the controller, involving customers’ personal information (including email addresses, full names, ages, etc.).
The contract between the controller and the processor ended several years before the data breach at the end of 2019. According to the data processing agreement, the controller could choose between deletion or return of the data after the end of the processing. However, the controller never exercised this right. A few days before the termination of the agreement, the processor informed the controller by email that the data would be deleted the following day. Almost a year later, in December 2020, the processor sent another email to the controller announcing that the deletion was imminent. Nevertheless, it was not until early 2023 and after the data breach had been reported that the processor confirmed to the controller that (some kind of) deletion had been carried out.
The Higher Regional Court ruled that the defendant was in principle liable to the plaintiff for damages within the meaning of Article 82 of the GDPR, but that the plaintiff had not credibly demonstrated any emotional damage and therefore no compensation payments were awarded.
In its judgment, the court dealt extensively with the issue of a controller’s liability for the omissions of its processor. In particular, the court addressed the monitoring and auditing measures that a controller must exercise over its processor and how these measures must be designed.
In general, the court takes the view that:
- if a company selects an IT service provider that is known in the market as a leading and reliable provider, it can generally place trust in the provider’s expertise and reliability without the need for an on-site inspection, but
- increased requirements apply if large amounts of data or particularly sensitive data is hosted.
In the opinion of the Higher Regional Court, in the specific case this meant that the data controller was obliged to:
- exercise its rights towards the processor with respect to the deletion of the data (the data processing agreement allowed the controller to choose between deletion and return of the data);
- in case of deletion, obtain a written confirmation (i.e. a meaningful document certifying the deletion) from the processor, as detailed in the data processing agreement(s);
- immediately request the provision of the deletion confirmation, if no such confirmation has been provided within the contractually agreed period; and
- if necessary, carry out an on-site inspection (e.g., if the deletion confirmation remains outstanding).
The court also clarified that mere announcements of the data processor to delete the data (in the future) are not an adequate substitute for the confirmation that the data has already been deleted.
Conclusion and practical recommendation:
Even if the controller in the specific case has escaped being ordered to pay damages, the court has nevertheless affirmed the company’s liability.
Controllers should therefore take this judgment as an opportunity to review the robustness of their monitoring and auditing measures with regard to processors. Necessary measures must not only be introduced but also sustained and documented in such a way that they are sufficient as evidence in front of courts and supervisory authorities.
[View source.]
