After you’ve had a serious data leak at your IT provider, you have to evaluate the issue. In the process, the question of whether your data is still in safe hands at that provider will be raised. You’ll be wondering whether it’s possible to get out of the contract that you have with the provider. You may even have to get out of it. I’ll be briefly discussing these issues in this article.

You will still be responsible, even if you have outsourced it

Privacy law has one very clear premise: if something goes wrong with the processing of personal data, the Dutch Data Protection Authority and the person concerned are always entitled to hold the party responsible for the processing accountable. In other words, as an organisation you are still responsible for the proper processing of your ‘own’ personal data, regardless of whether you handle this data yourself or whether you outsource the processing or part of it, to an IT provider for instance.

Be careful how you choose an external party

Given who is responsible, it’s not such a bad thing that you are not allowed to outsource the processing of personal data to any arbitrary third party.
The Dutch Personal Data Protection Act [Wet bescherming persoonsgegevens] currently in force stipulates that you have to ensure that the external party ‘provides sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out’ (Section 14 of the Dutch Personal Data Protection Act).
The Dutch General Data Protection Regulation, which comes into effect on 25 May 2018, takes it a step further by stipulating that you may only engage those parties that ‘offer adequate guarantees for the application of suitable technical and organisational measures to ensure that the processing complies with the requirements of this regulation, and that the protection of the rights of those involved is guaranteed’.
Less literally put: if the external party does not have all its ducks in a row when it comes to privacy matters, then the law stipulates that you may not deal with them for the processing of your personal data.

Processor’s agreement required

The Dutch Personal Data Protection Act and the Dutch General Data Protection Regulation also require that you enter written agreements with that third party about the proper processing of personal data.
This kind of agreement is often referred to as a processor’s agreement. Instead of laying down those agreements in a separate document, you can make them part of the overall agreement.
Arrangements about security measures and the handling of data leaks form part of these mandatory agreements.

Is a provider disqualified if there is a data leak?

Suppose there has been a data leak. The dust has finally settled, you’ve notified the authorities, you’ve probably informed those involved, and now you’re ready to assess the whole issue. During your evaluation, the role of the provider could also come up for discussion.
In this context, the following questions could be raised:

  1. Do you have to get rid of the provider, now that there’s been a data leak?
  2. Can you get rid of the provider, now that there’s been a data leak?
  3. Can you claim damages from the provider?

Re 1. Do you have to get rid of the provider?
If the investigation shows that the provider failed to put proper security measures in place, and it is unlikely that things will improve, then it is doubtful whether the provider is offering you adequate safeguards/guarantees, as required under the Dutch Personal Data Protection Act and the Dutch General Data Protection Regulation. See the quotes from the Act cited above.

If you come to the conclusion that guarantees/safeguards are not in place, then you will have to part company with the provider. If you do not, then you will be in contravention of the Dutch Data Protection Authority and the Dutch General Data Protection Regulation, and the Dutch Data Protection Authority may well take legal action against you.

That said, you may not be able to get rid of your provider. Your contracts may not allow for this.

Re 2. Can you get rid of the provider?
When terminating contracts, you have to differentiate between giving notice to terminate the contract and cancelling it. Often contracts lay down specific rules for the grounds for termination in both cases, so first check the contract.

For termination by giving notice, contracts generally stipulate that they can only be terminated on a specific date of termination, and not before. If these matters have not been laid down, then in principle the client is entitled to terminate (Book 7, Section 408 of the Dutch Civil Code), albeit that early termination can lead to a claim for work not yet paid for.

As a general rule, there has to be breach on the part of the provider before you can terminate a contract. It is very questionable whether a data leak is proof of breach on the provider’s part. For this, you would first have to examine whether the provider failed to fulfil its obligations under the contract. (Simply put: was the security worse than what was agreed?) For that, you have to go back to what was agreed in the (mandatory) agreements about security.

The outcome of the investigation may be that the provider was not in breach, despite the fact that there was a data leak. This may be because the agreements in the processor’s agreement about the security measures to be taken were not detailed enough, for instance, because they were vague or very generic. It may be difficult to prove that the data leak exposed a shortcoming in the system.

It may be that a very sophisticated hack was what caused the data breach, or that it was down to a bug in the software used that was previously unknown to all those involved. Then, too, the provider would presumably get off scot-free because the law, and with it often the processor’s agreement, only requires appropriate security measures, not perfect security measures.

Incidentally, this does not affect the fact that the duty to report data leaks also applies to data leaks carried out by very clever hackers or in cases where circumstances beyond your control were to blame.

So, in other words, it is highly unlikely that you will be able to get out of the contract that you have with your provider because of a data breach.

Re 3. Can you claim damages from the provider?
I’ve blogged about this before. Check out what I had to say in this earlier blog.

Conclusion

If you’ve had a data leak, it is crucial to evaluate carefully whether your provider is offering you what you need. It may be that you are required by law to part company with that provider. If the contracts don’t cater for this, it’s highly unlikely that bidding farewell is going to be that simple. All the more reason not to take agreements about the protection of privacy lightly. Make sure you go into great detail about what it is you expect from your provider, otherwise you may run into trouble down the line.

If you have any questions about privacy law, don’t hesitate to contact me.

By Mark Jansen, IT and privacy law lawyer