The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, BCLP is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Q. Is a controller subject to administrative fines for the GDPR violations of its processor?

No. 

There is a common misconception that the GDPR imposes joint and several liability such that a controller could be responsible for an administrative penalty of up to 4% of its annual global turnover if its processor were to violate the GDPR.  The misconception has caused some controllers to request, or mandate, that processors agree to unlimited liablity in their service provider agreements to indemnify the controller for what might be a significant administrative penalty. 

The GDPR does introduce a concept of joint and several liability, but only in the context of damages incurred by data subjects.  Damages, unlike administrative fines, are not calculated based upon the annual turnover (or gross revenue) of a company.  They typically require that an injured person explain to a court how they have been harmed, and prove how much monetary compensation that harm warrants.  The net result is that for damages to be awarded litigation must be brought by a data subject, and the data subject must demonstrate that it has been harmed by a GDPR violation.  As data privacy and security litigation in the United States has shown in many (if not most) situations that involve privacy rights, data subjects are not able to demonstrate that they have incurred actual harm or, if harm has occurred, are not able to prove that such harm amounts to economic compensable injuries.

In contrast, administrative fines are monetary penalties that can be assessed by a supervisory authority.  Those penalties do not require that a data subject come forward with an injury; nor must a supervisory authority be able to demonstrate how much data subjects have been harmed (or demonstrate that any data subject was harmed for that matter).  Administrative fines can be assessed in amounts of up to 2% or 4% of a company’s annual turnover depending upon the type and egregiousness of a violation.  There is no indication in the GDPR that a supervisory authority may assess an administrative fine against a controller for the alleged violation of a processor.  So, for example, if a processor experienced a data security breach as a result of security safeguards that were inadequate and in violation of Article 32 of the GDPR, a supervisory authority might be able to obtain an administrative fine against the processor based upon the inadequate security, but should not be able to obtain an administrative fine against the controller unless the controller independently violated the GDPR (e.g., failed to negotiate a contract that complied with Article 28, or failed to report the data breach to supervisory authorities or data subjects after becoming aware of the issue pursuant to Articles 33 and 34).

As a result, in the majority of situations, and in the context of most GDPR-related violations, the possible damages for which a controller might be jointly and severally liable is far less than the 2% or 4% of gross revenue that might be used as the basis for an administrative fine.