CAN MY CLIENTS CLAIM ME FOR A HACK OR LOSS OF THEIR DATA ON A HOSTING OR AN EXTERNAL CLOUD I HAVE USED?

02 Oct CAN MY CLIENTS CLAIM ME FOR A HACK OR LOSS OF THEIR DATA ON A HOSTING OR AN EXTERNAL CLOUD I HAVE USED?

Yes they can claim according to the rules of data protection. Failure to comply with the obligations of the supplier in charge of the treatment, whether a hosting service, cloud hosting, an agency, or any other may affect us as we are responsible for the treatment as we have hired those services.

Therefore, as responsible for the treatment of personal data we are obliged to hire suppliers that offer sufficient guarantees and not only that, but also to control their activity, arriving to audit them in the case of suppliers who do not offer full guarantees.

Therefore in practice, we, being the company or the professional responsible for the treatment, will have to deal with the claims of the stakeholders, as we have passive legitimation under the contract signed with them.

Except for some exceptions, the person concerned does not have the possibility of claim against the manager of the treatment (hosting, cloud, provider, management, etc.), and therefore if he wants to claim the damages suffered he will have to sue us (Responsible for the treatment), since we are the ones who have a contractual relationship with the person concerned.

The problem arises when we want to claim afterwards to the hosting company, Cloud, management, etc. for the sanctions of the Spanish Agency for data protection, which are very high, and seek compensation of what has been paid to the stakeholders, fines, etc. as we can find limitations of liability in the contract with our provider or coverage limitations on the provider’s insurance policy.

It is therefore vital for our company or our business to establish clear contracts that are also sufficiently free of liability limitations in favor of our suppliers. It is also important that we have access to the terms of their insurance and mechanisms of coverage. And it is also important that such suppliers have sufficient financial solvency, or maintain and pay the corresponding liability insurance to deal with those fines and indemnities that, once paid by us, we need to reclaim them later.

If our company does not do a selection, homologation and control of its suppliers at a previous stage, it will have to do these at a time when it may be too late.

The companies responsible for the treatment must revise their methodology of selection, homologation, recruitment and continuous control of the suppliers who treat personal data, in order to introduce measures that allow an adequate distribution of the responsibilities. It may well be said that in our company all this is a task of a position like the Data Protection Officer (DPO). And while the law obliges us to have a DPO in some cases, in others even not being obligatory, he can do an inescapable work that we need. Hence the generic recommendation that is made to companies and professionals with treatment of sensitive personal data, to adopt the figure of DPO.