Be care­ful when selec­ting IT ser­vice providers!

Most com­pa­nies use IT ser­vice pro­vi­ders in one form or ano­t­her. The ser­vices offe­red by the­se com­pa­nies are diver­se, ran­ging from data sto­rage in the Cloud and use of soft­ware in models such as software-as-a-service to the con­fi­gu­ra­ti­on of soft­ware by out­side ser­vice pro­vi­ders. But even when the­se ser­vices are out­sour­ced, the risk of lia­bi­li­ty in data pro­tec­tion law can­not be trans­fer­red ent­i­re­ly to the ser­vice pro­vi­der. Recent court rulings such as tho­se issued by the District Court of Munich (Case No. 31 O 16606/20 of 9 Decem­ber 2021) (only in Ger­man) and by the District Court of Colo­gne (Case No. 28 O 328/21 of 18 May 2022) clear­ly demons­tra­te which lia­bi­li­ty risks com­pa­nies face when using IT ser­vice providers.

Secu­ri­ty measures

Both of the­se judgments invol­ve a finan­cial ser­vices com­pa­ny which allows cli­ents to invest digi­tal­ly e.g. in stocks and secu­ri­ties. Through 2015, the com­pa­ny main­tai­ned a con­trac­tu­al rela­ti­ons­hip with an IT ser­vice pro­vi­der, which recei­ved access data for an IT sys­tem. Even after the con­trac­tu­al rela­ti­ons­hip with this ser­vice pro­vi­der came to an end, the access data was not chan­ged or dele­ted. Ulti­mate­ly, a cyber­at­tack on the company’s for­mer con­trac­ting par­ty resul­ted in the atta­cker recei­ving access to cli­ent data.

Both the District Court of Munich I and the District Court of Colo­gne found that the company’s fail­u­re to chan­ge the access data over an exten­ded peri­od of time vio­la­ted the GDPR given the sen­si­ti­vi­ty of the affec­ted data. In accordance with Arti­cle 32 of the GDPR, con­trol­lers are requi­red to take appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res in order to ensu­re a level of secu­ri­ty for per­so­nal data which is appro­pria­te for the risk. It fol­lows, the courts found, that the con­trol­ler can­not rely on the fact that the ser­vice pro­vi­der will duly dele­te the access data its­elf. Rather, the con­trol­ler is requi­red to check that this was done, or at least to modi­fy the data after a cer­tain amount of time has pas­sed. The District Court of Munich awar­ded a plain­tiff € 2,500 in non-material dama­ges and the District Court of Colo­gne awar­ded a plain­tiff € 1,500. In light of the fact that the data bre­ach affec­ted a group num­be­ring 33,200 peop­le, the poten­ti­al claims run in the millions.

Super­vi­si­on of processors

The GDPR also estab­lis­hes expli­cit requi­re­ments with regard to the selec­tion and super­vi­si­on of pro­ces­sors. Pro­ces­sors are typi­cal­ly invol­ved in cases whe­re per­so­nal data, e.g. rela­ting to cus­to­mers or employees, is pro­ces­sed in the Cloud by an out­side ser­vice pro­vi­der. This is the case, for examp­le, if an IT com­pa­ny is tas­ked with pro­vi­ding an Exchan­ge ser­ver for e‑mails: a situa­ti­on which app­lies to nume­rous com­pa­nies. In accordance with Arti­cle 28(1) of the GDPR, con­trol­lers may only work with pro­ces­sors which pro­vi­de suf­fi­ci­ent gua­ran­tees of a level of secu­ri­ty for per­so­nal data appro­pria­te to the risk. It fol­lows that con­trol­lers are requi­red to moni­tor their pro­ces­sors, and that this requi­re­ment remains in effect for the ent­i­re dura­ti­on of the pro­ces­sing. The rele­van­ce of the­se requi­re­ments was demons­tra­ted e.g. in con­nec­tion with the haf­ni­um secu­ri­ty vul­nera­bi­li­ty. In such cases, the con­trol­ler may be requi­red to inqui­re whe­ther the pro­ces­sor is taking the necessa­ry steps to address known secu­ri­ty vul­nera­bi­li­ties. Other­wi­se, the con­trol­ler its­elf may face dama­ge claims. In this case, the con­trol­ler should con­si­der the pos­si­bi­li­ty of asser­ting recour­se claims based on the under­ly­ing con­trac­tu­al rela­ti­ons­hip.

What are the con­se­quen­ces for companies?

Com­pa­nies can­not rely blind­ly on out­side IT ser­vice pro­vi­ders. Even if the lat­ter are not pro­ces­sors, but recei­ve access to IT sys­tems by means of access data, it must be ensu­red that they recei­ve access only for as long as abso­lute­ly necessa­ry. The GDPR also estab­lis­hes expli­cit moni­to­ring requi­re­ments in con­nec­tion with pro­ces­sors. If com­pa­nies fail to com­ply with the­se requi­re­ments, they may face dama­ge claims in the event of secu­ri­ty inci­dents which can rapidly mount and pose an exis­ten­ti­al thre­at if a lar­ge num­ber of peop­le are affec­ted. If such an inci­dent occurs, com­pa­nies should exami­ne the pos­si­bi­li­ty of asser­ting recour­se claims against the IT ser­vice pro­vi­der. If the lat­ter fails to take sui­ta­ble secu­ri­ty pre­cau­ti­ons or if it igno­res or fails to ade­qua­te­ly address secu­ri­ty vul­nera­bi­li­ties, the com­pa­ny will typi­cal­ly be able to assert claims based on the under­ly­ing con­trac­tu­al rela­ti­ons­hip. Ide­al­ly, com­pa­nies should trans­la­te data pro­tec­tion requi­re­ments into an effec­ti­ve com­pli­an­ce manage­ment sys­tem, taking into account the uni­que requi­re­ments for sup­ply chain cyber­se­cu­rity.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.