Most companies use IT service providers in one form or another. The services offered by these companies are diverse, ranging from data storage in the Cloud and use of software in models such as software-as-a-service to the configuration of software by outside service providers. But even when these services are outsourced, the risk of liability in data protection law cannot be transferred entirely to the service provider. Recent court rulings such as those issued by the District Court of Munich (Case No. 31 O 16606/20 of 9 December 2021) (only in German) and by the District Court of Cologne (Case No. 28 O 328/21 of 18 May 2022) clearly demonstrate which liability risks companies face when using IT service providers.
Both of these judgments involve a financial services company which allows clients to invest digitally e.g. in stocks and securities. Through 2015, the company maintained a contractual relationship with an IT service provider, which received access data for an IT system. Even after the contractual relationship with this service provider came to an end, the access data was not changed or deleted. Ultimately, a cyberattack on the company’s former contracting party resulted in the attacker receiving access to client data.
Both the District Court of Munich I and the District Court of Cologne found that the company’s failure to change the access data over an extended period of time violated the GDPR given the sensitivity of the affected data. In accordance with Article 32 of the GDPR, controllers are required to take appropriate technical and organizational measures in order to ensure a level of security for personal data which is appropriate for the risk. It follows, the courts found, that the controller cannot rely on the fact that the service provider will duly delete the access data itself. Rather, the controller is required to check that this was done, or at least to modify the data after a certain amount of time has passed. The District Court of Munich awarded a plaintiff € 2,500 in non-material damages and the District Court of Cologne awarded a plaintiff € 1,500. In light of the fact that the data breach affected a group numbering 33,200 people, the potential claims run in the millions.
Supervision of processors
The GDPR also establishes explicit requirements with regard to the selection and supervision of processors. Processors are typically involved in cases where personal data, e.g. relating to customers or employees, is processed in the Cloud by an outside service provider. This is the case, for example, if an IT company is tasked with providing an Exchange server for e‑mails: a situation which applies to numerous companies. In accordance with Article 28(1) of the GDPR, controllers may only work with processors which provide sufficient guarantees of a level of security for personal data appropriate to the risk. It follows that controllers are required to monitor their processors, and that this requirement remains in effect for the entire duration of the processing. The relevance of these requirements was demonstrated e.g. in connection with the hafnium security vulnerability. In such cases, the controller may be required to inquire whether the processor is taking the necessary steps to address known security vulnerabilities. Otherwise, the controller itself may face damage claims. In this case, the controller should consider the possibility of asserting recourse claims based on the underlying contractual relationship.
What are the consequences for companies?
Companies cannot rely blindly on outside IT service providers. Even if the latter are not processors, but receive access to IT systems by means of access data, it must be ensured that they receive access only for as long as absolutely necessary. The GDPR also establishes explicit monitoring requirements in connection with processors. If companies fail to comply with these requirements, they may face damage claims in the event of security incidents which can rapidly mount and pose an existential threat if a large number of people are affected. If such an incident occurs, companies should examine the possibility of asserting recourse claims against the IT service provider. If the latter fails to take suitable security precautions or if it ignores or fails to adequately address security vulnerabilities, the company will typically be able to assert claims based on the underlying contractual relationship. Ideally, companies should translate data protection requirements into an effective compliance management system, taking into account the unique requirements for supply chain cybersecurity.back