Indemnities in Data Processing Agreements


First, Article 28(4) of the GDPR states that a service provider must “remain fully liable” to a controller to “fulfil” the “obligations” of its sub-processors. 1 It is important to note that this requirement of “full responsibility” for the performance of sub-processors may not need to be codified in the agreement between a controller and a processor. More specifically, Article 28 is structured in such a way that the requirements of Article 28(3) must be included in the contract between the parties. On the other hand, Article 28(4) does not provide that the contract of the controller and the processor must contain a statement `full liability`. The end result is that a subcontractor must be responsible for the performance of its sub-processors, but this responsibility does not have to be codified in the contractual relationship. It is also unclear whether regulators and courts interpret liability for the “performance” of an obligation in such a way that the processor is liable for damage caused by the performance of a sub-processor, or simply responsible for the processing carried out by the sub-processor. d. Subprocessor Updates. In accordance with Article 28(2) of the GDPR and the UK GDPR (if applicable), the following is an up-to-date list of: (i) any sub-processor involved in the processing of customers` personal data; (ii) the purposes for which the sub-processors process the Customer`s personal data; and (iii) the location of each subcontractor. Snap will notify the data controller at least 30 days before adding a new processor. If the data controller is established in the EEA and transfers personal data to Snap Inc., Snap ULC or Snap Aus Pty Ltd, the data transfer agreement applies: 3.

Indemnification – Subcontractors must compensate for any processing they carry out that causes harm to third parties while they are employed or subsequently during the maintenance or processing of the controller`s data. 4. Notification of breaches – Processors must notify the controller in accordance with the GDPR “immediately after becoming aware of a personal data breach”. (Article 33(2)). The controller must report a data breach to the competent data protection authority within 72 hours of becoming aware of it. In addition, art. 33 para. 3 GDPR a list of breach reporting obligations that the controller must include in its report to the competent data protection authority: The practice is not yet very mature. Liability provisions in data processing contracts range from general standard liability clauses (which must be interpreted to be applied to the GDPR`s liability allocation rules) to clauses that extend the processor`s liability as described above. We have also seen cases where the data processor limits its liability to the controller, which means that the controller will not be able to recover all the damages/fines paid as a result of the processor`s actions. Of course, such protection is not bulletproof. If the breach is based on gross negligence or intent, the restriction does not apply.

Encryption of records belonging to Snap, including sensitive personal data, when stored using appropriate levels of encryption based on state-of-the-art encryption standards, including AES-256, and storing user identities on the system using key-value pairs such as ghost_id to prevent the storage of the actual user ID; and aspects of the disclosure of personal data are controlled. The categories of data subjects to whom the Customer`s personal data refers 9.1 Deletion of data. Subject to sections 9.2 and 9.3 below, Datazoom will act within 90 (ninety) days of the date of termination of the Agreement: There are two main sources of liability under the Regulations. The first concerns private claims by individuals. These claims can be invoked against both controllers and processors. It is important to note that where both the controller and the processor are involved in the same processing of personal data, they may be jointly and severally liable. While this may seem like a significant new risk at first glance, it`s not just the DPA fines that worry controllers. There is also the civil liability system. The GDPR states that individuals can claim damages for damages suffered – property (. B, financial) or intangible (. B, emotional loads) – caused by illegal treatment. If a breach occurs due to unlawful processing by a processor, the controller is jointly and severally liable for the damage, even if it was liable in any way – regardless of how little of its liability.

Only if the controller is completely error-free can he avoid any liability for a breach caused by his processor (Art. 82 para. 3). (It should also be noted that this agreement also works the other way around, which means that a subcontractor can be held liable for violations caused by its controller.) f. Data subjects and requests for control. Snap will inform the Data Controller without undue delay, but in any case within two business days, of any request or complaint snap receives from a data subject or supervisory authority in relation to customer`s personal data. Snap assists the Data Controller, to the extent commercially reasonable, in fulfilling the Data Controller`s obligation to respond to requests from data subjects and supervisory authorities under Data Protection Law. The details of the transfer, and in particular the special categories of personal data, are set out, where applicable, in Annex 1, which forms an integral part of the clauses.

The clauses shall be governed by the law of the Member State in which the data exporter is established. e. Right to object. The Data Controller has the right to object to the addition of a new sub-processor as described in this section. In the event that the Data Controller objects to the processing of Customer`s Personal Data by a newly appointed Sub-Processor, it will promptly notify Snap that Snap: (i) request the Sub-Processor to cease any further processing of Customer`s Personal Data, in which case this Agreement will not be affected; or (ii) allow the Data Controller to immediately terminate this Agreement. However, the subcontractor is not responsible for the essential obligations arising from the Regulation. For example, it is not responsible for ensuring that the processing complies with the conditions of processing or that privacy statements are provided to individuals. When it comes to taking ultimate responsibility for a range of personal data, the responsibility lies with the data controller, so it`s important to know if you are. Snap`s data processing activities under this Agreement are as follows: But to what extent are these claims for unlimited liability justified? Finally, as many processors will point out, they can be held directly liable by data protection authorities (DPAs) under the GDPR – so if they violate it, DPAs will sue them directly instead of following their data controller customers; Prosecuting the person responsible for the harm done to a processor is punishing a child for his father`s sins. In fact, when my partner Renzo Marchini posted on LinkedIn about this topic the other day, respondents to his post made exactly that point – some made scholarly arguments under competition and criminal law about why this shouldn`t/couldn`t/could happen. .