Back to School - Parental Responsibility and Children's Education
While going back to school is a time of mixed emotions for parents and children alike, for...
Search site
Contact our office
Make an enquiry
Blog
The extent of each party’s liability is a key part of a commercial contract and is likely to be subject to extensive negotiation. An indemnity is a promise usually made in a contract to pay money out on the occurrence of a specified event. It aims to protect Part A from suffering a financial loss arising out of the conduct of Party B, over which Party A has no control. Indemnities are important because it is much easier for an indemnified party to establish and recover their loss under an indemnity than through a normal breach of contract claim.
A service agreement which involves the processing of personal data (which includes the personal data of a contracting party’s customers) must include provisions relating to data protection. It is common for the contracting party to insist on an indemnity from the supplier for losses resulting from a breach of data protection provisions, including any fines imposed on them.
In July 2019 the Information Commissioner’s Office (ICO) published its intention to fine British Airways £183.39 million for breaches of the General Data Protection Regulations 2018 (“GDPR”). In October 2020 this fine was ultimately reduced to £20m. This stemmed from a cyber incident where user traffic to the British Airways site was diverted to a fraudulent site. As a result, approximately 500,000 customer details were obtained by attackers. At present, the highest maximum fine that the ICO can impose is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in a company’s preceding financial year, whichever is higher.
In our digital world, cyber security threats are a reality for all businesses with an online presence. The British Airways case did not involve a breach of GDPR arising from the fault of a third party supplier. However, the seriousness of the GDPR breach and steep fine highlights how critical it is for a business to have recourse against a supplier who fails to safeguard their personal data, or any part of the business in which they have a responsibility under the service agreement. It is equally as important for a supplier to know what they are signing up to do and the extent of their liability under any indemnities.
Under the GDPR, a contract relating to the processing of personal data must include certain clauses and would normally include the following requirements for the supplier:
Typically the customer (as the data controller) may seek an uncapped indemnity from the supplier in full against all liabilities, costs, expenses, damages and losses (including any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by the customer arising out of or in connection with any claim brought against them in relation to breaches of data protection clauses within the service agreement.
An uncapped indemnity leaves a supplier open to an unlimited claim from the customer. If British Airways was able to establish that the data breach resulted from a failure of its supplier then that supplier may have been liable for £20 million which would have been unlikely to be covered by its insurance. This is why it is important for any prospective supplier to negotiate a cap on their liability.
A supplier should consider limiting its liability in the following ways:
Whatever the commercial agreement, you should always review the terms carefully and pay particular attention to indemnities and limitations on liability. If you would like us to help your business please contact our Corporate and Commercial Team on 01242 574244 or e-mail Head of Department, Jon Rathbone.
The information contained on this page has been prepared for the purpose of this blog/article only. The content should not be regarded at any time as a substitute for taking legal advice.
Back to School - Parental Responsibility and Children's Education
While going back to school is a time of mixed emotions for parents and children alike, for...
One of the more common mistakes is failing to comply with the tenancy deposit protection...
We use essential cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. Clicking Reject All only enables essential cookies. For more detailed information about the cookies we use, see our Cookies page. For further control over which cookies are set, please click here
Our use of cookies.
You can learn more detailed information in our Privacy Policy
Some cookies are essential, whilst others help us improve your experience by providing insights into how the site is being used. The technology to maintain this privacy management relies on cookie identifiers. Removing or resetting your browser cookies will reset these preferences.
Essential Cookies
These cookies enable core website functionality, and can only be disabled by changing your browser preferences.
Google Analytics cookies help us to understand your experience of the website and do not store any personal data. Click here for a full list of Google Analytics cookies used on this site.
Third-Party cookies are set by our partners and help us to improve your experience of the website. Click here for a full list of third-party plugins used on this site.
Comments