How to Mit­ig­ate Li­ab­il­ity Risks

Data protection is (not only) a matter for the top-level management – how you can deal with data protection related risks

With the GDPR coming into force, the companies’ liability for non-compliance with the GDPR towards data subjects will gain significant importance: according to the GDPR, every person who has suffered damage resulting from a breach of data protection law is entitled to compensation claims for his or her material and immaterial damage. Such compensation may be received from the controller or the processor. Further, the Austrian Data Protection Act 2018 entitles the Austrian Data Protection Authority to impose fines of up to EUR 50,000, additionally to those of the GDPR (up to EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year or EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year).

Vis-à-vis the data subject or third parties, the controller and the processor are jointly and severally liable. Following this, the controller as well as the processor would have to pay the whole sum by themselves and then reimburse themselves for the sum paid through an internal limited recourse claim towards the other company that has been involved. Specifically, the claim would be limited to the part of damage responsibility.

Think ahead – start right now with compliance checks for existing and future contracts 

When transferring data outside the EU and/or the EEA or before engaging a cloud service provider as a data processor special attention should be paid to the contractual framework in order to ensure compliance with the Austrian Data Protection Act 2018 and the GDPR. Existing contracts should be reviewed for compliance, and where necessary, should be revised.  If your company is planning to engage service providers outside of the EU, ask them during the contract negotiations how they will ensure compliance with the GDPR.

Limit recourse claims with internal liability rules

Address liability topics in the course of contractual negotiations with processors and/or joint controllers.

Document data processing operations in your record of processing activities and update the document on a regular basis

Implement “privacy by default” and “privacy by design”

Examples for “privacy by design” measures are pseudonymisation measures, backups, physical security means, etc. Please click here for further information.

Raise awareness among your employees by providing them with special trainings

Pay attention to notification obligations and requests for the authority’s prior approval

As our explanations have shown, the GDPR sets a high standard on personal responsibility: this is a reason to pay more attention to compliance issues as the GDPR requires, in certain cases, a notification to and/or even an authorisation by the Data Protection Authority.  Even though this only concerns a limited number of situations that are unlikely to arise very frequently, they have been included in the GDPR by the European legislator on purposes and non-compliance could be fined with the maximum penalty.

Be careful with codes of conduct or certifications

The GDPR also defines a various range of codes of conduct that could be used as interpretation tools for compliance with the GDPR. However, the future will show to what extent these codes would be of use. The intention of the European legislator was to give associations and other types of bodies that represent specific controllers and processors the opportunity to prepare industry-specific codes of conduct. Codes of conduct approved by the Austrian Data Protection Authority can then be cited to prove compliance with the GDPR. In addition to these codes of conduct, data protection certification mechanisms as well as data protection seals and marks are being promoted by the EU. The above-stated information also applies to them.

However, it is important to keep in mind that such certifications are by no means considered to be a “GDPR compliance ticket” but should rather be regarded as an additional asset proving compliance with the GDPR.

As the Austrian Data Protection Authority has so far not issued a statement or guidelines regarding these measures, it remains to be seen to which extent the Authority will consider such certifications and seals during its compliance audits.

<<< back to homepage