Liability of the controller for (sub-)processors – current case law on avoidable liability risks

The Regional Court of Lübeck (Landgericht Lübeck, judgment of October 4, 2024 – 15 O 216/23) and the Higher Regional Court of Dresden (Oberlandesgericht Dresden, judgment of October 15, 2024 – 4 U 940/24) have further specified the obligations of the controller in the context of commissioned data processing.

Controllers must first ensure that all (sub-)contracted data processing is carried out under a contractual agreement (Art. 28 (3) GDPR). The obligation to carefully monitor all (sub-)processors then extends to the period after the contract has ended. Exculpation from blame pursuant to Article 82 (3) GDPR will not be granted if the controller fails to comply with these two requirements.

Background

Both judgments concern the theft of customer data by a (sub-)processor of an online music streaming service. Affected consumers have each brought an action against the online music streaming service for violating data protection regulations.

Liability for data protection violations in the context of commissioned data processing

Comprehensive contractual regulation of commissioned data processing from the controller to the sub-processor – no extension of a data processing agreement to group companies

If personal data is passed on to third parties for processing, a contractual agreement in accordance with Art. 28 (3) GDPR (data processing agreement: DPA) is always required. The DPA must be in place between the controller (Art. 4 no. 7 GDPR) and the third party as an additional data processor. This makes the third party a processor in accordance with Art. 4 no. 8 GDPR.

In this regard, the Regional Court of Lübeck has ruled that a DPA between a group company as a processor and the controller does not (automatically) extend to other group companies of the processor. If the controller passes on data to a group company as a subprocessor, it must ensure that either an agreement pursuant to Art. 28 (3) GDPR exists between its contractual partner as the processor and the group company as the subprocessor or that the controller itself concludes an agreement pursuant to Art. 28 (3) GDPR with the subprocessor. Otherwise, the transfer of personal data to the subprocessor is unlawful.

If a processor or subprocessor violates the GDPR, the controller is also liable for this violation if the data transfer is not based on a valid DPA. The controller can only be exonerated in accordance with Art. 82 (3) GDPR if it is not responsible for the unlawful transfer of data to the subprocessor. Negligent data transfer despite the absence of a DPA is sufficient to establish the controller's liability. Accordingly, the controller is liable for a data protection breach by the sub-processor if the controller relies without proof on the fact that there are DPAs within a group, but in fact there are no DPAs that regulate and legitimize the data processing by the sub-processor.

Duty of careful monitoring in the context of outsourced data processing – continuing permanent duty even after the end of the outsourced data processing

In its judgment, the Higher Regional Court of Dresden states that the controller must carefully monitor the processor it has engaged. This is a continuing permanent duty arising from Articles 28, 32 GDPR.

The specific form of the obligation depends on the respective circumstances of the individual case. If an IT service provider is already known to be reliable, there should generally be no special monitoring obligations. However, if particularly sensitive personal data within the meaning of Art. 9, 10 GDPR or large amounts of data are processed, there are increased control obligations.

If the AVV is terminated, the controller must ensure that the processor or subprocessor “actually deletes the data provided to it and issues a meaningful [written] certificate to that effect” (marg. no. 25). The controller must ensure that the written confirmation of the deletion of the data covers all personal data – the declaration must also cover copies, for example. If the (sub-)processor specifies a period for the deletion of the data, the controller requires a new written confirmation after the expiry of the period to the effect that the personal data provided has actually been completely deleted. If the controller cannot prove that it has fulfilled its monitoring obligations with regard to the deletion of the data by the (sub-)processor even after the end of the contract, it (continues to) be liable for post-contractual data protection violations by the processor.

Conclusion

Both judgments substantiate the controller's continuing obligations in the context of outsourced data processing.

In practice, controllers should check and ensure that any commissioning of third parties to process personal data is carried out within the framework of data processing agreements. If a controller itself forwards personal data to a subprocessor, it must ensure that this transfer is also based on a data processing agreement. In doing so, it must be ensured that existing DPA are not extended to group companies and that controllers (without specific evidence) do not assume that DPA exist within a group. If DPA are in place with groups, controllers must therefore ensure themselves that all data processing by group companies is also based on DPA.

After termination of a DPA, the controller should obtain written confirmation from the (sub-)processor that the personal data transferred has been deleted. This confirmation must show that all personal data transferred to the processor has been deleted. Copies of the personal data transferred must also be included. A mere confirmation of future deletion (e.g. within 21 days) is not sufficient.

Controllers can reduce their liability risk by observing the two requirements mentioned above in the context of outsourced data processing. In doing so, controllers enable and facilitate their exculpation in accordance with Art. 82 (3) GDPR should a data protection breach occur at the (sub-)processor.

We will be happy to help you ensure that your data processing activities are legally compliant and avoid known liability risks. This includes, among other things, the legal design of (sub-)contracting relationships and their termination.

Note: The appeal or revision against the judgments has been allowed in each case. Should there be any changes regarding the obligations in the context of commissioned data processing, we will present these in an update.