Search site
Contact our office
Make an enquiry
The extent of each party’s liability is a key part of a commercial contract and is likely to be subject to extensive negotiation. An indemnity is a promise usually made in a contract to pay money out on the occurrence of a specified event. It aims to protect Part A from suffering a financial loss arising out of the conduct of Party B, over which Party A has no control. Indemnities are important because it is much easier for an indemnified party to establish and recover their loss under an indemnity than through a normal breach of contract claim.
A service agreement which involves the processing of personal data (which includes the personal data of a contracting party’s customers) must include provisions relating to data protection. It is common for the contracting party to insist on an indemnity from the supplier for losses resulting from a breach of data protection provisions, including any fines imposed on them.
In July 2019 the Information Commissioner’s Office (ICO) published its intention to fine British Airways £183.39 million for breaches of the General Data Protection Regulations 2018 (“GDPR”). In October 2020 this fine was ultimately reduced to £20m. This stemmed from a cyber incident where user traffic to the British Airways site was diverted to a fraudulent site. As a result, approximately 500,000 customer details were obtained by attackers. At present, the highest maximum fine that the ICO can impose is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in a company’s preceding financial year, whichever is higher.
In our digital world, cyber security threats are a reality for all businesses with an online presence. The British Airways case did not involve a breach of GDPR arising from the fault of a third party supplier. However, the seriousness of the GDPR breach and steep fine highlights how critical it is for a business to have recourse against a supplier who fails to safeguard their personal data, or any part of the business in which they have a responsibility under the service agreement. It is equally as important for a supplier to know what they are signing up to do and the extent of their liability under any indemnities.
Under the GDPR, a contract relating to the processing of personal data must include certain clauses and would normally include the following requirements for the supplier:
Typically the customer (as the data controller) may seek an uncapped indemnity from the supplier in full against all liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the customer arising out of or in connection with any claim brought against them in relation to breaches of data protection clauses within the service agreement.
An uncapped indemnity leaves a supplier open to an unlimited claim from the customer. If British Airways was able to establish that the data breach resulted from a failure of its supplier then that supplier may have been liable for £20 million which would have been unlikely to be covered by its insurance. This is why it is important for any prospective supplier to negotiate a cap on their liability.
A supplier should consider limiting its liability in the following ways:
Whatever the commercial agreement, you should always review the terms carefully and pay particular attention to indemnities and limitations on liability. If you would like us to help your business please contact our Corporate and Commercial Team on 01242 574244 or e-mail Head of Department, Jon Rathbone.
Comments