Spain – Supreme Court: Indemnity from a processor does not apply to the controller’s own breach of data protection law

In a recent decision, the Spanish Supreme Court ruled that a contractual indemnity clause did not allow a controller to recover regulatory fines from a processor where the fines arose from the controller’s own infringements of data protection law (STS 551/2023).

The underlying fine

The case arose when the Spanish Data Protection Agency (“AEPD”) imposed 26 sanctions on a controller for a range of data protection infringements in relation to customer acquisition and marketing activities. The controller carried out these activities using a third party service provider who processed personal data as a processor.

Those sanctions resulted in a total fine of 740,000 on the controller. The processor was also sanctioned.

The indemnity claim

The service agreement between the controller and processor included an indemnity clause. Under that clause, the processor had to indemnify the controller if the controller was held liable for any damages caused by the processor in relation to the services agreement.

Following the AEPD fines, the controller brought a civil claim against the processor claiming it failed to obtain consent from the data subjects on behalf of the controller and thus must indemnify it against the fine imposed by the AEPD.

The court of first instance dismissed the claim. The appeal to the regional court of appeal was also dismissed on the basis that the sanctions imposed on the controller did not arise from the actions of the processor.

Supreme Court ruling

The controller appealed to the Spanish Supreme Court, arguing that the AEPD’s fine resulted from the infringements of the processor, including a failure to obtain valid consent from the data subjects on behalf of the controller when processing their personal data.

The Spanish Supreme Court rejected the controller’s appeal. In line with the original decision of the AEPD, the court concluded that the controller had instructed the processor to process personal data of prospective clients without meeting the conditions for consent established in the GDPR.

Accordingly, the controller breached its duty of care to ensure that prior express consent of data subjects was obtained before processing their personal data for marketing purposes. This breach of data protection laws by the controller cannot be shifted to the processor.

When might indemnity clauses be effective?

According to the Spanish Supreme Court, a controller can seek indemnification from the processor but only for sanctions resulting from infringements committed by the processor when performing the services agreement.

Indemnity clauses cannot be interpreted as allowing the controller to claim indemnification from the processor for the data controller’s own infringements of data protection laws.

Conclusion

It is common to include indemnity clauses in services agreements to cover data protection infringements by the processor. It is therefore interesting to see the Spanish Supreme Court clearly setting out the limitations on such clauses.

This decision of the Spanish Supreme Court is a clear demonstration that controllers are accountable and liable for compliance with data protection law, and cannot just delegate those obligations to their processors.