top of page

Data protection issues in IT contracts


The Purpose of this article is to examine the Personal data processing issues relating to the provision of IT goods and services and cross border transfer of Personal data. While providing IT Services, many times, personal Data is processed. Such as when it is providing data hosting or processing services. Emergence of cloud computing, Software as a Service (SaaS), IT product & services is being provided as global solutions to international customers are few example when personal date may transferred cross border.


In case of transfer of Personal DATA is outside the European Economic Area, then the provisions in Chapter V of the EU GDPR are required to be met. These countries are called as third countries. Transfer may be made to third countries whose data protection laws are deemed adequate as per adequacy decision.

Exception to Adequacy decision

  1. In absence of adequacy decision, after providing appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, Controller and processor may transfer personal data to third countries. Appropriate safeguards include the use of binding corporate rules or standard contractual clauses (SCCs);

  2. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject;

  3. The transfer is necessary for the establishment, exercise or defense of legal claims.

Scenarios of transfer of Personal Data in IT contracts

1. Exporting personal data to the US from EU

There is no adequacy decision has been made in favour of USA. USA government and EU has agreed for EU-US Privacy Shield as a method of providing adequate protection for data transfers to the US under the DPD, and then the GDPR. Recently the ECJ gave its preliminary ruling in Schrems II declaring the EU-US Privacy Shield invalid. Many of the largest IT companies in the world, including Microsoft, Amazon and Oracle, were signed up to the EU-US Privacy Shield, meaning this judgment will have a significant impact on the IT sector.

Following this ruling, the EDPB adopted a set of FAQs to provide preliminary guidance on the steps organizations will need to take to continue to lawfully transfer personal data to the US and other third countries. These steps include putting in place alternative data transfers mechanisms, such as SCCs, using binding corporate rules or on derogation.

2. Exporting personal data to the UK from EU

After Brexit, UK’s status is as a third country and rule of adequacy decision shall be applicable on the transfer from EU to UK. Since EU commission has still not granted adequacy decision in favour of UK, IT suppliers and their customers must review their processing arrangements and put in place appropriate safeguards to ensure they are continuing to comply with the requirements of the EU GDPR.

In the meantime, provisions relating to personal data flows have been included as part of the UK-EU trade and co-operation agreement (TCA) which has applied on a provisional basis since the end of the transition period. These include an interim provision for transmission of personal data to the UK for four months from the TCA entering into force, to be extended by a further two months unless one of the parties objects, or, if earlier, until there is an adequacy finding for the UK

3. Exporting personal data from UK to EU

It will be covered under The DPA 2018 which provides that transfers from the UK to the EU can continue without additional protections being put in place, as EU countries will be deemed by the UK to have an adequate level of data protection.

4. Exporting personal data from UK to non-EU personal data transfers

These would need to meet the requirements of Chapter V of the UK GDPR.

IT industry used to use First Generation SCCs when dealing with exports of personal data outside of the EEA under the EU GDPR. The ECJ confirmed that the First Generation SCCs remained valid as an appropriate safeguard for international data transfers under the EU GDPR. However, the ECJ went on to say that transfers of personal data pursuant to SCCs can be suspended or prohibited if there is a breach of the SCCs or it is impossible to comply with them.

Provision is made in the DPA 2018 for the First Generation SCCs to continue to be valid for transfers from the UK to non-EU countries and the Information Commissioner will have the power to issue new clauses.

On 4 June 2021, the EU Commission adopted final versions of two new sets of SCCs:

  • A set for the transfer of personal data from the EEA to third countries under Articles 28(7) and 46(2)(c) of the EU GDPR; and

  • A set for use between controllers and processors within the EEA under Article 28 of the EU GDPR.

These will come into force twenty days after publication in the Official Journal of the EU.

Practical steps to be taken when entering into an IT contract

In the beginning itself parties of the contract should do due diligence to confirm whether the relevant IT solution, or supplier relationship, will require the processing of personal data and if so:

  • Who will process that personal data?

  • Where will that personal data come from?

  • Where are the data subjects located?

  • If personal data will be transferred outside of the customer’s own IT architecture at any point, which locations (and jurisdictions) will it be transferred to?

  • Will the personal data be on-transferred at any point to any other locations or jurisdictions?

After identifying all potential data transfers, the parties will need to assess whether the transfers are subject to the export rules stipulated under the GDPR and whether a compliant transfer can be made by putting appropriate safeguards in place.

If a compliant transfer cannot be made, then the parties will need to consider whether they can restructure their IT solution so that the relevant data transfer can be avoided.

Liability for data protection compliance

One of the issues in finalization of IT contract is to determine liability in case of breach of data. Generally it is difficult to determine the correlation between the price of IT goods and services, and the value they can bring, or damage, they can cause, to the customer’s business. This creates conflict as customer wants to achieve the maximum protection possible against loss, while the IT supplier will only want to accept a level of liability which is commensurate with the value of the transaction to it.

IT suppliers will ask to limit liability for breach of data protection obligations, while the customer will generally ask to exclude liability for breach of these types of obligations from any liability cap.

For the breach of DATA, customer always wants uncapped liability whereas providers will always ask of capped liability. If uncapped liability is not acceptable to the IT supplier, the customer may negotiate a separate cap or a “supercap” for data protection liabilities. (A supercap provides additional cover for these breaches over and above the standard cap. In the “supercap” model, the losses in a general breach bucket count towards the supercap, and vice versa.)

However, determining and finalizing these caps and deciding what type of liability falls in and out of the cap is extremely difficult and need a good amount of negotiation between the parties.

Defining data protection liabilities is one of the challenges. For example, should it cover any loss or damage caused by a breach of data protection obligations, whether these arise under contract, statute, common law or otherwise? Or should it be wider still, and cover other related cyber obligations. Whether should this cover loss and damage to data generally, whether personal data or not?

When negotiating liability limits and exclusions, the customer should be mindful of the fact that a supplier may ask for these to apply mutually to each party.

If parties are not able to reach on solutions then below approach may help to resolve deadlock:-

  • Can the nature of the services be changed?

  • Can the customer control which personal data is processed via the IT goods or services? For example, can it isolate systems which contain the most sensitive personal data (such as HR data) so that this data is not accessible to the IT supplier at all?

  • If personal data be anonymised or pseudomised?

  • Can the customer control how the IT solution is structured or provided, to mitigate the processing risk: for example, can the customer select that data is hosted by the IT supplier only on servers located in certain countries?

  • Has the IT solution been designed to be compatible with data protection legislation, or else can the customer configure an existing solution to add more data protection safeguards,

Cyber insurance is exorbitantly high but may play in major role in plugging any residual liability exposure?


Follow LexTalk World for more news and updates from International Legal Industry.




bottom of page