Summary
- A data protection indemnity is a contractual promise where one party agrees to compensate the other for losses arising from data protection breaches.
- It is commonly included in data processing agreements where a supplier handles personal data on behalf of a customer.
- These clauses can expose the indemnifying party to significant financial risk, especially where breaches lead to fines or claims.
- This guide explains data protection indemnities for UK business owners, including how they operate and key risks in commercial contracts.
- It is prepared by LegalVision’s business lawyers, a commercial law firm that specialises in advising clients on data protection and commercial contracts.
Tips for Businesses
Do not accept broad indemnities without review. Limit liability with caps, define trigger events clearly, and include obligations for the other party to mitigate loss. Align indemnity scope with your actual control over data and ensure insurance coverage supports potential exposure.
A data protection indemnity is a contractual promise where one party agrees to compensate the other for specific losses arising from data protection breaches, such as misuse of personal data or failure to comply with data protection laws. It is typically included in data processing agreements to allocate risk, but can expose the indemnifying party to significant financial liability if a breach occurs, making it a key point of negotiation in commercial contracts. This article explains what a data protection indemnity is, how it works, and the risks businesses should consider.
What is a Data Processing Agreement?
A data processing agreement is an agreement between a data controller and a data processor under which the data controller shares personal data with the data processor. This document is mandatory under the UK General Data Protection Regulation (‘UK GDPR’).
A data controller is a person or organisation that decides how and why to collect and use personal data. On the other hand, a data processor is a separate person or organisation that processes personal data on the controller’s behalf and by following their instructions.
In business, data controllers commonly share personal data with third-party processors who act on their behalf to process personal data. For example, companies often use external IT services suppliers to help them with IT support. The suppliers often have access to staff and customer data to help individuals with their IT queries. Additionally, companies often use external payroll suppliers, who will use staff details to run payroll services to pay staff.
A data processing agreement must contain various clauses around the data processor’s responsibility to protect personal data. For example, clauses around keeping personal data secure and confidential.
This factsheet sets out how your business can become GDPR compliant.
What is a Data Protection Indemnity?
As part of data processing agreement negotiations, the apportionment of liability is a crucial issue. Indemnities are clauses to address specific known risks under a contract.
An indemnity is a promise one party gives (the indemnifying party) to pay the other party (the indemnified party) for a specific loss they suffer under the contract if a trigger event occurs. The contract should explain what the trigger event is. It could be the indemnifying party’s:
- breach of contract;
- negligence; or
- specific action.
When a supplier gives an indemnity, it offers to compensate the customer in specific circumstances. Often, businesses believe indemnities are a quicker and easier route to recover losses, as opposed to breach of contract claims. As such, it is common for customers to request indemnities from suppliers in commercial contracts.
Since the GDPR came into force in 2018, it has been very common for data processing agreements to include supplier indemnities, given the scope for huge fines that companies could incur if they breach data protection law rules.
A customer sharing personal data with you under a contract may request you indemnify them for various data protection law risks. As such, you should understand what an indemnity is and the risks you will undertake if you agree to provide one.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
What Should a Supplier Do If a Customer Requests a Data Protection Indemnity?
There are several steps you should take if a customer requests a data protection indemnity.
1. Address Customer Concerns
You should note that the UK GDPR and the Data Protection Act 2018 do not obligate a data processor to provide an indemnity to a data controller in a data processing agreement.
However, customers are likely to push for you to indemnify them for all costs, claims, damages or expenses the customer incurs due to you breaching the data processing agreement or data protection laws. A customer is likely to argue that they are entrusting you with their personal data, and you should therefore compensate them for any losses they suffer if you misuse it.
UK data protection laws require data controllers to carry out due diligence on data processors with whom they will share personal data. As part of their risk assessments, data controllers will be highly concerned about their potential liabilities under the UK GDPR. After all, they could be responsible for several potential liabilities due to your breach. Therefore, data controllers often request stringent clauses around liability and indemnities to allocate risk.
2. Negotiation
Whether you should give an indemnity is a matter of negotiation with your customer. If you provide a customer with an indemnity for data protection losses, you could be responsible for very high costs if things go wrong. This is because an indemnity will create an obligation to pay the customer if they suffer loss or damages.
Additionally, if your business causes a data breach (even accidentally) and you indemnify the customer for this, you may have to pay the customer on a pound-for-pound for any losses they suffer. These sums could be significant, depending on the amount of damage caused and losses the customer incurs. They could also be significantly higher than if the customer were to bring a breach of contract claim for damages against your business.
3. Consider the Practical Implications
A few points to consider when a customer requests a data protection indemnity are as follows:
| Consideration | Explanation |
| Limit Your Liability | Ensure your liability under the data protection indemnity is reduced as far as possible. You should seek to limit the financial amount you will pay a customer under a data protection indemnity, for example, by stating that your liability is capped at a maximum figure. |
| Mitigation | You should consider negotiating the indemnity clause so that the customer can mitigate its losses under the indemnity. |
| Conduct of Claims Clause | You can request a conduct of claims clause as part of the indemnity provisions. Such a clause would oblige the customer to notify you of any third-party data protection claims and hand control of the conduct of the claims over to you. |
Including these controls could help reduce the amount you would be liable to pay the customer under the indemnity clause. Indemnities are extremely complicated and heavily negotiated, and you should seek legal support if you need advice on indemnities.
Key Takeaways
An indemnity is a contractual promise to reimburse a party if a particular trigger event occurs. It is common for data controller customers to request a data protection indemnity from suppliers in a commercial contract. Agreeing to a data protection indemnity will comfort your customers and help keep them happy. However, indemnities are complex and come with high risk. Therefore, you should approach indemnity negotiations carefully, understand the risks involved and take legal advice if you need support.
If you need advice on a data protection indemnity clause, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
A data protection indemnity is a contractual clause where one party agrees to compensate the other for losses arising from data protection breaches, such as misuse of personal data or failure to comply with data laws.
Businesses commonly include them in data processing agreements, especially where one party handles personal data on behalf of another and needs to allocate risk for potential breaches.
No. UK GDPR and the Data Protection Act 2018 do not require indemnities. They are negotiated between parties as part of commercial contracts to manage risk.
You may face significant financial exposure, including covering losses, claims or fines. You should negotiate limits, such as liability caps, and ensure the clause reflects realistic and manageable risks.
We appreciate your feedback! Request your free consultation now.
