GDPR, the European Data Protection Regulation, which came into force on May 25, 2018, introduced a new liability scheme specific to data processors.
What is the current state of this liability, three years after the GDPR came into force?
Two decisions of the French Data Protection Authority (CNIL), sanctioning a data controller and its processor, were issued on January 27, 2021. These decisions went relatively unnoticed because they were only the subject of a press release on the CNIL’s website. However, they are very instructive, since this the first time a processor’s liability is engaged under GDPR.
On the basis of Article 32 of GDPR, fines of €150,000 and €75,000 were imposed respectively on the controller and the processor for failure to implement measures against credential stuffing.
What were the circumstances of the case?
An online shopping website was subject to a large number of credential stuffing attacks. This practice consists of using a bot which attempts many connections, using information stolen from other websites. In response, the site operator, in its capacity as as data controller, and its subcontractor in charge of IT security, implemented a defense strategy consisting of developing an ad hoc software to protect the website against this type of attack. However, the development of this tool took a year, during which time customer data continued to be exposed.
What did the data breach consist of?
Customer data (name, email, date of birth, fidelity card number) was exposed between March 2018 and February 2019
Why were the parties found liable?
The CNIL considered that the following measures, simpler and faster to implement than developing an ad hoc software, would have enabled to avoid the data leakage:
- implementation of a CAPTCHA test at identification;
- limiting the number of authorized requests during identification.
What are the key takeaways?
A paradigm shift
Under the law applicable prior to GDPR, in the event of using a subcontractor services, the controller was solely liable and was required to ensure compliance with security measures.
As an example, in its deliberation of January 8, 2018, the CNIL imposed a fine of €100,000 on Darty, in its capacity as data controller, without imposing a fine on its processor, even though Darty used a software program developed by its processor to manage its after-sales service and the data leakage that led to this fine was the result of a security flaw in this software. Indeed, the CNIL reiterated that “the circumstance that data processing operations are entrusted to processors does not relieve the data controller of the responsibility incumbent upon it to preserve the security of the data processed on its behalf“.
The entry into force of the GDPR has led to a paradigm shift redefining the obligations of the actors involved in processing. The regulation has introduced a specific responsibility of the processor, without relieving the controller of his own.
In this example, if the decision had been pronounced under the RGPD, it would probably have been the two parties who would have been condemned.
A fine on the basis of the processor’s duty to advise:
This decision reveals that the processor is liable under its obligation to advise the controller. Indeed, the CNIL states in its press release that:
“The controller must decide on the implementation of measures and give documented instructions to its processor. However, the processor must also seek the most appropriate technical and organizational solutions to ensure the security of personal data, and submit them to the controller. ”
Nevertheless, apart from the decision of January 27, 2021, commented on in this article, to our knowledge, there is no decision in France, nor in Europe, condemning a processor on the basis of the GDPR.
Therefore, a number of questions remain unanswered:
How is liability shared in the event of a security breach?
It is not clear to what extent a data breach can be attributed to the controller, to the processor or to both.
As a reminder, Article 82 & 2 of GDPR provides: “A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller”.
However, pursuant to Article 28 of the GDPR the processor is required to:
- 28 a) process personal data only on documented instructions from the controller,
- 28 c) take all measures required pursuant to Article 32,
- 28 par. 2) immediately inform the controller if, in its opinion, an instruction infringes this Regulation.
Thus, the processor may be held liable whenever it has committed a specific breach of any of these obligations.
Who is liable for the failure to provide a written contract between the controller and the processor, as required by Article 28 of the GDPR?
If we rely on a decision of the Italian supervisory authority of January 14, 2021, only the controller is liable in this case. Indeed, the Italian authority held a controller (the Lazio Region) liable for failure to implement a written processing agreement with its processor. It imposed upon the controller a fine of 75,000 € for infringing Articles 5 and 28 of GDPR without sanctioning the processor. However, there is nothing in Article 28 that suggests that only the data controller would be subject to this obligation, and it is quite possible that another supervisory authority would adopt a different interpretation and fine a processor on this ground.
How effective are limitation or exclusion of liability clauses between the controller and its processor?
As a reminder, Articles 82 (paragraphs 1, 4 and 5) and Article 26 paragraph 3 of GDPR set out a principle of joint and several liability, according to which any division of liability between the actors of the processing would not be enforceable against the data subjects. This implies joint and several liability in the context of claims that may be brought by data subjects who have sustained damage. Thus, any actor of a processing operation, whether a controller, a joint controller or a processor, is bound to indemnify the data subjects for the damage as a whole, while the actor who has compensated the damage, in the context of a recourse action, is entitled to obtain a refund of the sums paid from the other actors of the processing who contributed to the damage.
Articles 82 and 26 do not expressly provide that joint and several liability applies to a supervisory authority, but it cannot be excluded.
In view of this joint and several liability, it is good practice for a data processor to ensure that its contracts with data controllers include a limitation of liability. This type of contractual clause has become commonplace in negotiations between the parties in the context of their Data Protection Agreement.
This type of clause is intended solely to limit the scope of the remedies available to the controller against the processor in the event of a data breach. On the other hand, no contractual arrangement can lead to a limitation of the processor’s liability with respect to a supervisory authority regarding the sanctions it may incur.
No decision has yet been issued on the interpretation or validity of such clauses. However, it seems to us that these clauses should be considered valid and of full effect. Only future case law will enable to assess their exact scope.
Aurele IT remains at your disposal to help you with your GPDR compliance. Please do not hesitate to send us your questions or comments at .
Partner Attorney, Member of the Paris Bar, Data Protection Officer
Aurele IT Law Firm
Master’s degree student in European law – Université Paris 2 Panthéon-Assas
 « Credential stuffing » : la CNIL sanctionne un responsable de traitement et son sous-traitant | CNIL (French)
 « Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk (…) for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk »
 Article 34 of the French Data Protection Act (Loi informatique et libertés): « The person in charge of processing is required to take all necessary precautions, in view of the nature of the data and the risks presented by the processing, to preserve the security of the data and, in particular, to prevent them from being distorted, damaged, or accessed by unauthorized third parties »