LawyerDr. jur. Dirk Lindloff, Legal advisor in Koblenz
Magazine
 Our information service for you
Dienstag, 09.11.2021

Extraordinary termination of a contract due to a data protection breach

Contracts between companies can be terminated in individual cases for disregarding data protection.



from
Dr. jur. Dirk Lindloff
Lawyer
Specialist lawyer for intellectual property law
Specialist lawyer for information technology law

Give me a call: 0261 - 404 99 45
E-Mail:

Companies often enter into contracts with other companies that (also) involve the processing of personal data. Examples include the outsourcing of CRM or ERP systems to IT service providers (cloud), where data could be lost due to a lack of protection, or you may simply discover that the website service provider (e.g. an advertising agency) uses the hosting services of a third party without being able or willing to conclude a data processing agreement with that third partyThis usually involves long-term debt relationships, but it could also be that the client already detects defects at the contractor's during the development phase of a software or website. The contractor simply refuses to follow "Privacy by Design" and does not align the product with data protection principles.

If something goes wrong with data protection, the question arises as to whether a data breach justifies extraordinary termination of the contract between the companies. After all, the responsible party could face fines and other consequences under the GDPR.

Statutory termination options

In principle, contractual relationships can be terminated extraordinarily in accordance with § 314 BGB. The law requires an "important reason" for this. What constitutes good cause is left to the individual case and ultimately to the consideration of the parties first and then to the courts if a dispute arises.

Data protection violations as good cause

In order to answer the question of whether there is good cause for data protection violations, criteria are needed that can be taken into account. It makes sense to use the catalog of criteria that the GDPR provides for the decision of the fine authorities as to whether a fine can be imposed and how high it should be. This can be found in Art. 83 (2) GDPR and contains the following criteria:

  1. the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected by the processing and the extent of the damage suffered by them;
  2. the intentional or negligent nature of the violation;
  3. any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
  4. the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
  5. any relevant previous infringements by the controller or processor;
  6. the extent of the controller's or processor's cooperation with the supervisory authority, in order to remedy the infringement and mitigate its possible adverse effects;
  7. the categories of personal data concerned by the infringement;
  8. how the infringement became known to the supervisory authority, in particular whether and, if so, to what extent the controller or processor notified the infringement;
  9. compliance with measures ordered under Article 58(2)2 previously against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;
  10. compliance with approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42, and
  11. any other aggravating or mitigating circumstances in the particular case, such as any direct or indirect financial benefits gained, or losses avoided, by the breach.

The criteria marked in bold appear to be suitable for consideration in the context of the assessment of the individual case required under Section 314 of the German Civil Code (BGB) for the question of whether a violation is so serious as to allow an extraordinary termination of the contract or not.

If, in the above example, the advertising agency refuses to dispense with the integration of Google Maps because it is so easy for the agency and they do not want to deal with it (or have not factored this effort into the all-inclusive offer), how to get a nice map on the website with Open Street Map, thencould be seen as a serious violation that is also intended to be permanent. This is done intentionally at the latest from the point in time at which the customer complains about it. The advertising agency is solely responsible for this if the client has not previously specified Google Maps for maps. The categories of data concerned are not particularly serious, however, since they usually involve the IP addresses of those affected, which cannot be easily assigned to a natural person. However, due to Google's data storage in the USA as a further point regarding the nature and severity of the violation, one could well come to the conclusion that extraordinary termination is possible.

We are happy to apply our expertise to your case.

The statements represent initial information that was current for the law applicable in Germany at the time of initial publication. The legal situation may have changed since then. Furthermore, the information provided cannot replace individual advice on a specific matter. Please contact us for this purpose.