1. Home
  2. news
  3. adv louis nel business review advice indemnities general data protection regulation gdpr 0

Adv Louis Nel Business Review Advice: Indemnities & the general data protection regulation ('GDPR') (Part 2) – Liability for breach

February 27, 2024
Partner News

Let's briefly revisit the aims of the GDPR which, whilst aligned with POPIA, is worth considering in more detail:

 

  • Assess security and privacy risks by means of a data protection impact assessment i.e. identify when processing may result in risks to data - what is required is a 'systematic and extensive evaluation of the organisation's processes and what safeguards it has' – this is an essential and ongoing exercise that every business should carry out & document the outcome on a regular basis       
  • The assessment should address the origin, nature, likelihood and severity of such risks and existing remedies 
  • Business must show that it has implemented strategies not only to identify and pre-empt risk but also to manage and mitigate same.
  • Preventative measures can include encryption and controlling privileges of users - ideally it should be impossible to tamper with and/or destroy data (See POPIA section 19) 
  • Regular audits of data must be carried out and monitoring must of be of such a nature as to detect breaches as early as possible             
  • It is imperative that security applies to the entire life cycle of data
  • Incident response must be swift as it will impact on customers, brand & share value: engage lawyers, PR, insurance and the authorities

 

The IBM report suggests that you look at the half full rather than the half empty glass and 'Go Beyond Compliance':

 

  • Cost benefit approach: in depth analysis of data processed and stored - if possible discard data that does not add value
  • Make privacy part of corporate culture - it may well be a good idea to incorporate it in your corporate social responsibility policy, both from an ethical and moral perspective
  • 'Leverage privacy to drive superior customer experience' - doing so may give you a competitive advantage, promote transparency, trust and brand resilience.                 

 

The GDPR makes it quite clear that non-compliance can result not only in penalties (as mentioned in my previous article and these are substantially more severe than those imposed by POPIA) but also claims for damages by the affected parties!

 

It should be borne in mind that the GDPR only applies to you if and when you market goods and services to EU subjects or a non-subject resident in the EU, i.e. it does not apply to EU citizens and residents living or holidaying outside the EU but the location of the service or product provider is irrelevant.

 

Whilst you may have an indemnity form to be signed, signage and/or a disclaimer clause in your T&C, compliance with the GDPR cannot be limited or waived. Thus you liability for administrative fines for a breach of the GDPR is not-negotiable.

 

The next question is now what about the data subject whose GDPR rights have been infringed and who wants to lodge a damages claim - can you apply your indemnity and disclaimer?

 

At the outset this aspect must be linked to your relationship with third party suppliers: not only should there be a reciprocal POPIA and GDPR indemnity and waiver in your favour but, as illustrated in my recent POPIA article in this regard (October 09 2023 via SATSA: INSERT #19 – ‘USE OF OPERATORS & RELATED SECURITY’), POPI requires of you to have an adequate formal POPI compliant contract with such suppliers!

 

The claim for damages will be linked to non-compliance with the obligations specified by the GDPR. By definition there must be a causal link between such non-compliance and the damage.

 

The GDPR creates join liability of the parties linked to the non-compliance i.e. the liability of the principal (Responsible person/Controller) and sub-contractor/third party supplier (Operator/Processor) is joint (Article 82(4)).

 

It is crucial to note that data breach affecting a data subject may also entail monetary negative consequences for a third person whose data were not directly processed (Article 82(1)).

 

There are two types of damages - Material damages are any out of pocket loss caused by a violation of the GDPR such as secondary harm (e.g. the loss of a job) whereas non-material damages are the emotional damage caused by the illegal processing of personal data itself.

 

Article 82(3) GDPR introduces a further prerequisite i.e. ‘responsibility’ for the claim for damages like intent and negligence. Article 82(3) GDPR also contains a reversal of the burden of proof with regard to ’responsibility’ i.e. responsibility is presumed.

 

The good news is that The Court of Justice of the European Union ('CJEU') laid to rest the notion that liability for GDPR administrative fines damages is strict and found that it must be proved that the controller was at fault i.e. acted intentionally or negligently, in committing the alleged breach of the GDPR

 

(The Court of Justice of the European Union ('CJEU') issued, on 4 May 2023, its judgment in National Public Health Centre under the Ministry of Health v State Data Protection Inspectorate ('VDAI') (C 683/21))

 

Aspects of the above is with acknowledgement of the discussion in https://gdprhub.eu/Article_82_GDPR

 

© ADV LOUIS NEL

LOUIS-THE-LAWYER

FEBRUARY 23 2024

 

DISCLAIMER - Each case depends on its own facts & merits - the above does not constitute advice - independent advice should be obtained in all instances

 

LOUIS’ LEGAL ADVICE CLUB (‘LAC’) – obtaining legal advice & guidance can be quite costly (See below*) hence my LAC via which you can obtain an hour’s legal advice for R500, 00 per month once you’ve joined AND the fee for additional hours is R1850 per hour! Furthermore you are dealing with a lawyer who has been in tourism since 1982!

 

* The AVERAGE hourly rate is R2700 https://www.myggsa.co.za/how-much-do-lawyers-charge-per-hour-in-south-africa/