Can a company cap its liability for breach of its data protection obligations under a contract?

read titleRead full title
Published on LexisPSL on 12/12/2019

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Can a company cap its liability for breach of its data protection obligations under a contract?
  • Contractual claims—general position
  • Arrangements with processors
  • Arrangements between joint or independent controllers
  • Life science collaborations

For the purposes of this Q&A:

  1. it is assumed that the question is whether parties to a personal data sharing or collaboration arrangement may agree a general liability cap on claims that may be brought by each party under that contract for breach of any of the data protection provisions in that contract, and

  2. it is only commented on the general position under the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) as it applies under the laws of England and Wales. Limitation of liability provisions in contracts are subject to general controls and restrictions imposed by both statute and by common law that are beyond the scope of this reply. For further guidance, see Practice Note: Exclusion and limitation of liability

Contractual claims—general position

Where two parties will share or otherwise collaborate in the processing of personal data, it is necessary to determine whether each party is acting as a processor, independent controller or joint controller. See Practice Note: Determining roles under data protection law in commercial transactions between businesses (processor, independent controller or joint controller).

As explained in Practice Note: Supply chains under data protection law—arrangements between controllers and processors, where one of the parties is a processor (or sub-processor), Article 28 of the GDPR will require that certain mandatory contractual terms are put in place.

As explained further in Practice Note: Personal data sharing

Popular documents