Be careful when sel­ec­ting IT ser­vice providers!

Most com­pa­nies use IT ser­vice pro­vi­ders in one form or ano­ther. The ser­vices offe­red by the­se com­pa­nies are diver­se, ran­ging from data sto­rage in the Cloud and use of soft­ware in models such as software-as-a-service to the con­fi­gu­ra­ti­on of soft­ware by out­side ser­vice pro­vi­ders. But even when the­se ser­vices are out­sour­ced, the risk of lia­bi­li­ty in data pro­tec­tion law can­not be trans­fer­red enti­re­ly to the ser­vice pro­vi­der. Recent court rulings such as tho­se issued by the Dis­trict Court of Munich (Case No. 31 O 16606/20 of 9 Decem­ber 2021) (only in Ger­man) and by the Dis­trict Court of Colo­gne (Case No. 28 O 328/21 of 18 May 2022) cle­ar­ly demons­tra­te which lia­bi­li­ty risks com­pa­nies face when using IT ser­vice providers.

Secu­ri­ty measures

Both of the­se judgments invol­ve a finan­cial ser­vices com­pa­ny which allows cli­ents to invest digi­tal­ly e.g. in stocks and secu­ri­ties. Through 2015, the com­pa­ny main­tai­ned a con­trac­tu­al rela­ti­onship with an IT ser­vice pro­vi­der, which recei­ved access data for an IT sys­tem. Even after the con­trac­tu­al rela­ti­onship with this ser­vice pro­vi­der came to an end, the access data was not chan­ged or dele­ted. Ulti­m­ate­ly, a cyber­at­tack on the company’s for­mer con­trac­ting par­ty resul­ted in the atta­cker recei­ving access to cli­ent data.

Both the Dis­trict Court of Munich I and the Dis­trict Court of Colo­gne found that the company’s fail­ure to chan­ge the access data over an exten­ded peri­od of time vio­la­ted the GDPR given the sen­si­ti­vi­ty of the affec­ted data. In accordance with Artic­le 32 of the GDPR, con­trol­lers are requi­red to take appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res in order to ensu­re a level of secu­ri­ty for per­so­nal data which is appro­pria­te for the risk. It fol­lows, the courts found, that the con­trol­ler can­not rely on the fact that the ser­vice pro­vi­der will duly dele­te the access data its­elf. Rather, the con­trol­ler is requi­red to check that this was done, or at least to modi­fy the data after a cer­tain amount of time has pas­sed. The Dis­trict Court of Munich award­ed a plain­ti­ff € 2,500 in non-material dama­ges and the Dis­trict Court of Colo­gne award­ed a plain­ti­ff € 1,500. In light of the fact that the data breach affec­ted a group num­be­ring 33,200 peo­p­le, the poten­ti­al claims run in the millions.

Super­vi­si­on of processors

The GDPR also estab­lishes expli­cit requi­re­ments with regard to the sel­ec­tion and super­vi­si­on of pro­ces­sors. Pro­ces­sors are typi­cal­ly invol­ved in cases whe­re per­so­nal data, e.g. rela­ting to cus­to­mers or employees, is pro­ces­sed in the Cloud by an out­side ser­vice pro­vi­der. This is the case, for exam­p­le, if an IT com­pa­ny is tas­ked with pro­vi­ding an Exch­an­ge ser­ver for e‑mails: a situa­ti­on which appli­es to num­e­rous com­pa­nies. In accordance with Artic­le 28(1) of the GDPR, con­trol­lers may only work with pro­ces­sors which pro­vi­de suf­fi­ci­ent gua­ran­tees of a level of secu­ri­ty for per­so­nal data appro­pria­te to the risk. It fol­lows that con­trol­lers are requi­red to moni­tor their pro­ces­sors, and that this requi­re­ment remains in effect for the enti­re dura­ti­on of the pro­ces­sing. The rele­van­ce of the­se requi­re­ments was demons­tra­ted e.g. in con­nec­tion with the haf­ni­um secu­ri­ty vul­nerabi­li­ty. In such cases, the con­trol­ler may be requi­red to inqui­re whe­ther the pro­ces­sor is taking the neces­sa­ry steps to address known secu­ri­ty vul­nerabi­li­ties. Other­wi­se, the con­trol­ler its­elf may face dama­ge claims. In this case, the con­trol­ler should con­sider the pos­si­bi­li­ty of asser­ting recour­se claims based on the under­ly­ing con­trac­tu­al rela­ti­onship.

What are the con­se­quen­ces for companies?

Com­pa­nies can­not rely blind­ly on out­side IT ser­vice pro­vi­ders. Even if the lat­ter are not pro­ces­sors, but recei­ve access to IT sys­tems by means of access data, it must be ensu­red that they recei­ve access only for as long as abso­lut­e­ly neces­sa­ry. The GDPR also estab­lishes expli­cit moni­to­ring requi­re­ments in con­nec­tion with pro­ces­sors. If com­pa­nies fail to com­ply with the­se requi­re­ments, they may face dama­ge claims in the event of secu­ri­ty inci­dents which can rapidly mount and pose an exis­ten­ti­al thre­at if a lar­ge num­ber of peo­p­le are affec­ted. If such an inci­dent occurs, com­pa­nies should exami­ne the pos­si­bi­li­ty of asser­ting recour­se claims against the IT ser­vice pro­vi­der. If the lat­ter fails to take sui­ta­ble secu­ri­ty pre­cau­ti­ons or if it igno­res or fails to ade­qua­te­ly address secu­ri­ty vul­nerabi­li­ties, the com­pa­ny will typi­cal­ly be able to assert claims based on the under­ly­ing con­trac­tu­al rela­ti­onship. Ide­al­ly, com­pa­nies should trans­la­te data pro­tec­tion requi­re­ments into an effec­ti­ve com­pli­ance manage­ment sys­tem, taking into account the uni­que requi­re­ments for sup­p­ly chain cyber­se­cu­rity.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.