Liability of Controllers for (Sub-)Processors – Recent Case Law on Avoidable Liability Risks

The Regional Court of Lübeck (Landgericht Lübeck, Judgment of October 4, 2024 – 15 O 216/23) and the Higher Regional Court of Dresden (Oberlandesgericht Dresden, Judgment of October 15, 2024 – 4 U 940/24) have further specified the obligations of controllers in the context of data processing by processors.

Controllers must ensure that any (sub-)processing of data is carried out within the framework of a contractual agreement (Art. 28(3) GDPR). The obligation to carefully monitor all (sub-)processors extends to the period after the termination of the contract. Exculpation from liability according to Art. 82(3) GDPR is not possible if controllers do not comply with these two requirements.

Background

Both judgments concern the theft of customer data at a data (sub-)processor of an online music streaming service. Affected consumers subsequently filed lawsuits against the online music streaming service for violating data protection regulations.

Liability for Data Protection Violations in the Context of Data Processing by Processors

Continuous Contractual Regulation of Data Processing from the Controller to the Sub-Processor – No Extension of a Data Processing Agreement to Group Companies

Whenever personal data is transferred to third parties for processing, a contractual agreement (Data Processing Agreement, DPA) under Art. 28(3) GDPR is required. The DPA must exist between the controller (Art. 4(7) GDPR) and the third party as the processor (Art. 4(8) GDPR).

The Regional Court of Lübeck ruled that a DPA between a corporate group acting as a processor and the controller does not automatically extend to other affiliates of the processor’s corporate group. If the controller transfers data to a group affiliate acting as a sub-processor, the controller must ensure that either a DPA exists between the processor and the sub-processor or that the controller enters into a DPA with the sub-processor directly. Otherwise, the transfer of personal data to the sub-processor is illegal.

If a (sub-)processor violates the GDPR, the controller is also liable for the violation if the data transfer was not based on a valid DPA. The controller can only exculpate themselves from liability under Art. 82(3) GDPR if they are not responsible for the unlawful transfer to the sub-processor. Negligent data transfer despite the absence of a DPA is sufficient to establish the controller's liability. Therefore, controllers are liable for a sub-processor's GDPR violation if they assume, without evidence, that valid DPAs exist within a corporate group, when in fact, there are no agreements regulating and legitimizing the data processing by the sub-processor.

Duty of Diligent Monitoring in Data Processing by Processors – Ongoing Obligations After Contract Termination

The Higher Regional Court of Dresden states in its judgment that the controller must carefully monitor the processors they have commissioned. This is an ongoing duty arising from Art. 28, 32 GDPR.

The extent of this duty depends on the specific circumstances of the case. For instance, if an IT service provider is already known to be reliable, there may be no special monitoring obligations. However, if particularly sensitive personal data within the meaning of Art. 9, 10 GDPR or large amounts of data are processed, increased control duties exist.

If a DPA is terminated, controllers must ensure that the (sub-)processor "actually deletes the data provided to him and issues a meaningful [written] certificate to this effect" (para. 25). This confirmation must include all personal data, including copies. If the (sub-)processor specifies a deadline for data deletion, the controller needs a renewed written confirmation after the deadline that the personal data provided has actually been completely deleted. If controllers cannot demonstrate that they have fulfilled their monitoring duties even after the end of the contract regarding the deletion of data by the (sub-)processor, they remain liable for post-contractual data protection violations by the processor.

Conclusion

Both judgments specify the ongoing duties of controllers in the context of data processing by processors.

In practice, controllers should review and ensure that any commissioning of third parties with the processing of personal data is carried out within the framework of data processing agreements (DPAs). If a controller directly transfers personal data to a sub-processor, they must ensure that this transfer is also governed by a DPA. It is important to note that DPAs with corporate groups do not extend to group affiliates by default, and controllers should not assume (without concrete evidence) that DPAs exist within a group. Where DPAs exist with corporate groups, controllers must verify that all data processing by group affiliates is also governed by DPAs.

Upon termination of a DPA, controllers should obtain a written confirmation from the (sub-)processor regarding the deletion of all transferred personal data. This confirmation must cover all data, including copies. A mere confirmation of future deletion (e.g., within 21 days) is not sufficient.

Controllers can reduce their liability risks by complying with these two key requirements in the context of data processing. This also facilitates their exculpation from liability under Art. 82(3) GDPR if a data protection violation occurs at a (sub-)processor.

We are happy to assist you in ensuring compliance with legal requirements and avoiding known liability risks. This includes, among other things, the legal design of (sub-)processing relationships and their termination.

Note: Appeals or revisions against the judgments have been allowed. Should any changes arise regarding the obligations discussed here, we will provide updates accordingly.