In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or data subject complaint.  We have summarised below some pertinent recent decisions and highlight, as a key takeaway, that regulators and courts will enforce GDPR requirements against both controllers and processors. In that light, organisations should re-evaluate and strengthen their contractual frameworks to ensure contracts align with data protection requirements and safeguard against potential pitfalls. In the UK, it is also particularly worth noting that all contracts relying on the old EU SCCs for UK transfers should have now been updated to either the UK IDTA or UK Addendum as the deadline for this was 21 March 2024.  

 Key Decisions  

  • The Court of Justice of the European Union (CJEU) has issued a number of judgments in relation to the engagement of processors by a controller and the importance of having a clear and detailed contract in place. In particular, in the Nacionalinis visuomenės sveikatos centracase (C-683/21), the CJEU clarified when a controller can be liable for processing carried out by its processor.  In this case, the Lithuanian National Public Health Centre (NVSC) appointed an IT service provider (ITSS) to build a Covid-19 app. The NVSC provided ITSS with some design information and the questions to be asked within the app. The Lithuanian DPA opened an investigation into the app and the data processed by it. The Lithuanian DPA found various breaches of GDPR (including obligations relating to security) and imposed administrative fines on the NVSC and ITSS as joint controllers. NSVC challenged the fine arguing that, as ITSS built the app and NVSC had not consented to ITSS making the App available to the public, ITSS was the sole controller of the relevant processing. The Vilnius Regional Administrative Court referred a number of questions to the CJEU, including the concept of a controller’s liability under the GDPR.

  • The CJEU adopted a broad interpretation of ‘controller’ and held that the fact that:

    “(i) NVSC did not itself process any personal data, (ii) there was no contract between the NVSC and the company ITSS, (ii) the NVSC did not acquire the mobile application at issue and (iv) the dissemination of that application through online shops was not authorised by the NVSC – does not preclude the NVSC from being classified as a ‘controller’.”  

    The CJEU held that although a controller can be liable for processing carried out by its processor, this does not extend to situations where the processor has processed personal data:

    • for its own purposes;
    • in a manner incompatible with the arrangements for processing as determined by the controller; or
    • in a way that it cannot reasonably be considered that that controller consented to such processing.

  • In November 2023, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand on a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement (see our blog post for further information on the decision). The Belgian DPA concluded that it was the responsibility of both the controller and the processor to ensure a written data processing agreement was in place at the material time. This decision followed that of the French Data Protection Authority (CNIL) in 2022, which concluded that the processor alone may be held responsible for the absence of a data processing agreement between it and the controller.

Key Takeaways

  • The above decisions demonstrate the importance of controllers documenting instructions when engaging processors (and for processors to be clear on their remit) – it is very difficult to demonstrate that a processor acted in a manner which was incompatible with the controller’s instructions, if those instructions are not clearly set out in a detailed contract.

  • It is important to negotiate appropriate data protection provisions in the contract from the outset of an engagement – both for vendors and customers – retrospective arrangements will not cure historic non-compliance and regulators and courts will not hold back in enforcing GDPR requirements against both controllers and processors.