Skip to content

What is a Data Protection Indemnity?

Table of Contents

Liability provisions under data processing agreements are a common negotiation topic for businesses. A customer sharing personal data with a third-party supplier commonly requests a data protection indemnity to protect their business from risk. In this article, we will explore what a data protection indemnity is and some of the key issues to note around data protection indemnities. 

What is a Data Processing Agreement?

A data processing agreement is an agreement between a data controller and a data processor under which the data controller shares personal data with the data processor. This document is mandatory under the UK General Data Protection Regulation (‘UK GDPR’). 

A data controller is a person or organisation that decides how and why to collect and use personal data. On the other hand, a data processor is a separate person or organisation that processes personal data on the controller’s behalf and by following their instructions.

In business, data controllers commonly share personal data with third-party processors who act on their behalf to process personal data. For example, companies often use external IT services suppliers to help them with IT support. The suppliers often have access to staff and customer data to help individuals with their IT queries. Additionally, companies often use external payroll suppliers, who will use staff details to run payroll services to pay staff. 

In these scenarios, the companies will need a data processing agreement if the third party suppliers will have access to personal data. This is because data protection law requires the parties to enter into a written agreement setting out each party’s obligations under the UK GDPR.

A data processing agreement must contain various clauses around the data processor’s responsibility to protect personal data. For example, clauses around keeping personal data secure and confidential. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

What is a Data Protection Indemnity?

As part of data processing agreement negotiations, the apportionment of liability is a crucial issue. Indemnities are clauses to address specific known risks under a contract. 

An indemnity is a promise one party gives (the indemnifying party) to pay the other party (the indemnified party) for a specific loss they suffer under the contract if a trigger event occurs. The contract should explain what the trigger event is. It could be the indemnifying party’s: 

When a supplier gives an indemnity, it offers to compensate the customer in specific circumstances. Often, businesses believe indemnities are a quicker and easier route to recover losses, as opposed to breach of contract claims. As such, it is common for customers to request indemnities from suppliers in commercial contracts. 

A data protection indemnity is a specific indemnity whereby a party agrees to compensate the other for particular data protection losses. For example, a customer may request that the supplier indemnify them for any losses they suffer as a result of a personal data breach.

Since the GDPR came into force in 2018, it has been very common for data processing agreements to include supplier indemnities, given the scope for huge fines that companies could incur if they breach data protection law rules. 

A customer sharing personal data with you under a contract may request you indemnify them for various data protection law risks. As such, you should understand what an indemnity is and the risks you will undertake if you agree to provide one. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Should a Supplier Do If a Customer Requests a Data Protection Indemnity?

There are several steps you should take if a customer requests a data protection indemnity. 

1. Address Customer Concerns

You should note that the UK GDPR and the Data Protection Act 2018 do not obligate a data processor to provide an indemnity to a data controller in a data processing agreement. 

However, customers are likely to push for you to indemnify them for all costs, claims, damages or expenses the customer incurs due to you breaching the data processing agreement or data protection laws. A customer is likely to argue that they are entrusting you with their personal data, and you should therefore compensate them for any losses they suffer if you misuse it. 

UK data protection laws require data controllers to carry out due diligence on data processors with whom they will share personal data. As part of their risk assessments, data controllers will be highly concerned about their potential liabilities under the UK GDPR. After all, they could be responsible for several potential liabilities due to your breach. Therefore, data controllers often request stringent clauses around liability and indemnities to allocate risk. 

2. Negotiation 

Whether you should give an indemnity is a matter of negotiation with your customer. If you provide a customer with an indemnity for data protection losses, you could be responsible for very high costs if things go wrong. This is because an indemnity will create an obligation to pay the customer if they suffer loss or damages. 

Additionally, if your business causes a data breach (even accidentally) and you indemnify the customer for this, you may have to pay the customer on a pound-for-pound for any losses they suffer. These sums could be significant, depending on the amount of damage caused and losses the customer incurs. They could also be significantly higher than if the customer were to bring a breach of contract claim for damages against your business. 

3. Consider the Practical Implications

A few points to consider when a customer requests a data protection indemnity are as follows:

ConsiderationExplanation
Limit Your LiabilityEnsure your liability under the data protection indemnity is reduced as far as possible. You should seek to limit the financial amount you will pay a customer under a data protection indemnity, for example, by stating that your liability is capped at a maximum figure. 
Mitigation You should consider negotiating the indemnity clause so that the customer can mitigate its losses under the indemnity. 
Conduct of Claims ClauseYou can request a conduct of claims clause as part of the indemnity provisions. Such a clause would oblige the customer to notify you of any third-party data protection claims and hand control of the conduct of the claims over to you. 

Including these controls could help reduce the amount you would be liable to pay the customer under the indemnity clause. Indemnities are extremely complicated and heavily negotiated, and you should seek legal support if you need advice on indemnities. 

Key Takeaways

An indemnity is a contractual promise to reimburse a party if a particular trigger event occurs. It is common for data controller customers to request a data protection indemnity from suppliers in a commercial contract. Agreeing to a data protection indemnity will comfort your customers and help keep them happy. However, indemnities are complex and come with high risk. Therefore, you should approach indemnity negotiations carefully, understand the risks involved and take legal advice if you need support. 

If you need advice on a data protection indemnity clause, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Sej is an Expert Legal Contributor at LegalVision. She is an experienced legal content writer who enjoys writing legal guides, blogs, and know-how tools for businesses. She studied History at University College London and then developed a passion for law, which inspired her to become a qualified lawyer.

Qualifications: Legal Practice Course, Kaplan Law School; Graduate Diploma in Law, Kaplan Law School; BA, History, University College.

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards