Q&As

A is a customer of supplier B. Where A has mistakenly paid third party C, as a result of C having hacked into B’s records and issued an (false) invoice apparently in the name of B, but payable to C’s account, is B liable to A in damages for the money A paid to C?

read titleRead full title
Published on LexisPSL on 01/06/2018

The following Dispute Resolution Q&A provides comprehensive and up to date legal information covering:

  • A is a customer of supplier B. Where A has mistakenly paid third party C, as a result of C having hacked into B’s records and issued an (false) invoice apparently in the name of B, but payable to C’s account, is B liable to A in damages for the money A paid to C?
  • Data protection implications
  • Contract
  • Restitution for unjust enrichment

Data protection implications

The company, as controller of the customer’s personal data, must comply with its obligations under the Data Protection Act 1998 (DPA 1998) (prior to 25 May 2018) and the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) (from the 25 May 2018). The definitions of personal data under both DPA 1998 and the GDPR are wide and may include information such as the customer’s email address.

Where a data controller has failed to comply with its data protection obligations, it can give rise to a claim for compensation under DPA 1998, s 10 or Article 82 of the GDPR/Clause 166 of the Data Protection Bill (which is currently before Parliament). In this case, relevant obligations with which the controller must comply include:

  1. the seventh data protection principle under DPA 1998, which requires that controllers take appropriate technical and organisational measures against unauthorised or unlawful processing of, and accidental loss of or damage to personal data (DPA 1998, Sch 1, para 7)

  2. the integrity and confidentiality principle under the GDPR, which requires that personal data to be processed in a manner that ensures appr

Related documents:

Popular documents