This article deals with the question of who is liable if a partner company, to whom personal data has been transmitted, suffers a data breach and the transmitted data is published on the internet or Darknet.
What is personal data?
Art. 4 sec. 1 of the GDPR defines personal data as any information relating to an identified or identifiable natural person.
Claim for damages
A person affected by a data breach, i.e. unlawful data processing, can claim damages in accordance with Art. 82 GDPR. Damage is deemed to have occurred if the claimant can prove that the incident has caused him or her anxiety or worry. There is no minimum threshold. For example, on 4 October 2024, the Regional Court of Lübeck ruled that a music platform had to pay damages to a consumer (case reference: 15 O 216/23).
Who is liable for the data breach?
In principle, according to Art. 4 sec. 7, 8 of the GDPR, the controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Processors are natural or legal persons, public authorities, agencies or other bodies which process personal data on behalf of the controller.
In order to avoid any liability when disclosing personal data (order processing), the company must conclude a contract or other legal instrument with the processor in accordance with Art. 28 sec. 3 GDPR. The purpose of the contractual obligation is to ensure that appropriate technical and organisational measures are implemented in such a way that further processing is carried out in accordance with the GDPR. If such a contract is missing, the data transfer is generally unlawful and constitutes a violation of the GDPR.
This is because the concept of involvement in unlawful data processing does not necessarily require that the controller itself was directly involved in the process that caused the damage. Rather, it is sufficient that the controller enabled the unlawful data processing. It follows that a controller that unlawfully transmits data to a third party may be involved in the further processing of this data by the third party, including processing that is contrary to instructions.
Possibility of exculpation
Exculpation according to Art. 82 sec. 3 GDPR requires that the controller succeeds in providing exculpatory evidence for its own contribution to the cause, with which it was still involved in the processing chain. If this contribution to the cause lies in the unauthorised disclosure of the data to a processor, then this requires that there is no responsibility to be held.
What has to be included in a contract according to Art. 28 GDPR?
A contract according to Art. 28 GDPR must contain at least the following information:
- Legal obligation of the processor to the controller,
- Essential contents of the data processing such as:
- subject and duration of the processing,
- type and purpose of the processing,
- type of personal data,
- categories of data subjects,
- Rights and obligations of the controller.
It should be noted, however, that the list of required details is not exhaustive and must be adapted to the needs and obligations of the respective company in individual cases. This is because companies face the threat of lawsuits for damages and heavy fines if they violate the regulation.
Grau Rechtsanwälte PartGmbB advises, audits and supports companies, including as an external data protection officer, in the area of data protection.
If you have any further questions, please contact our law firm on +49 (0) 40 180 364 020 or office@graulaw.eu.