Very briefly the report on a recent decision of the Hanseatic Higher Regional Court. The IT company had taken over the task of storing data “in the cloud”, i.e. on its own or other technical systems. This data was finally lost, a backup obviously does not exist. The loss happened when the data was moved to another account. The data was finally deleted, which was not previously marked as read-only and there was no redundancy. The system also failed to check whether a redundant data backup existed.
The court saw – and the decision is legally binding – in this conduct of the employee of the IT company an act of gross negligence. On terminology: Simple negligence occurs when “the care required in traffic has not been exercised”. So they weren’t paying attention. Gross negligence occurs when a significant, serious mistake has been made, which usually people do not make in such a situation because the risk is very clearly identifiable. A popular example from the training of lawyers: you drive on the motorway. The mobile phone falls into the footrest in front of the passenger seat. At 160 km/h the driver bends over into the passenger compartment, does not look forward and a serious accident occurs. The problem in determining gross negligence is insurance. Some insurance companies do not pay in these cases.
The moral of the story: Anyone who undertakes commercially to store someone else’s data must use sufficient technical and organizational means to ensure that no final loss of data occurs. This applies especially to personal data and according to gdpr must also be documented in these cases. In addition to the topic of compensation by the customer, the storage of personal data may in future also include the means of order and the compensation of the persons concerned.
At these points I find the DSGVO really good, which almost forces people to deal with the subject of “availability of data”. As an IT company, it is also important to pay attention to Article 32 of the DSGVO, the content of which guarantees compliance with the regulations by the processor and the party responsible (and not just by the IT company, as it can now be read in many current contracts). You can specify that the customer must also save the data. If this case law sets a precedent, you must be able to prove the existence of a risk analysis and the existence of appropriate technical and organisational measures. This is a data protection incident that must be reported to the public authority.
As a customer, make sure that appropriate measures really exist and check the existence of the measures. In these cases, it is not advisable to pass on risks by using gtc and therefore think you are safe, because as beeing the party responsible under the GDPR you yourself must prove and document the existence and inspection of these measures.