Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Cloud Contracts, GDPR and Liability Caps


Liability caps in contracts under the GDPR is a hot-button issue for data controllers and data processors.

A few days before the application of the General Data Protection Regulation, the allocation of risk — and thus the issue of the liability cap — plays an important role in the negotiations of data processing agreements.

To the extent that contract law does not fall within the exclusive competence of the European Union, the GDPR does not directly address the question of contractual liability between the parties, even if it outlines the provisions of a data processing agreement.

The CNIL, which published a GDRP Guide for Processors in September 2017, also fails to provide a clear answer on this topic (1).

GDPR and liability cap: a reminder of the key provisions

Article 28 of the GDPR imposes very clear obligations on the controller and the processor, which must be set out in the contract to be entered between them (2).

Article 82 of the GDPR, focused on “Right to compensation and liability”, contains provisions that directly influence the liability of the parties. On the one hand, it draws two lines that neither party can cross. In particular, there can be no exclusion of liability:

  • towards the data subjects;
  • towards the supervisory authority imposing a penalty.

On the other hand, it states that either party may exclude their liability if “it is not in any way responsible for the event giving rise to the damage”. Moreover, if a party has borne all or part of the compensation paid to the data subject, that party is entitled to claim back from the other controllers or processor involved in the same processing so that the burden is shared up to their respective part of responsibility in the damage.

The above provisions are fundamental as the financial risk towards the data subjects is substantial and will be further increased by the introduction of class actions (3).

GDPR and liability cap: the freedom of contract

Subject to the above provisions, the parties are free to opt for one or more of the following liability systems in their contract:

  • full liability towards the data subject if the fault is exclusively attributable to one of the parties;
  • a limitation of liability, applicable between them only and proportionate to the risk, without this depriving their contract of its essence;
  • a mechanism for guaranteeing between them the risks towards the data subject, where applicable according to specific caps, including an irrevocable waiver of discussion (the party required to pay must do so) or of division (each party must pay only in proportion to its share of responsibility);
  • a system of proof (best efforts obligation, performance obligation) adapted to the nature of the service concerned;
  • a system of conciliation or ad hoc mediation.

All in all, the question of liability caps under the GDPR is thorny topic that requires discussion between the parties in order to find a solution that is reasonable and appropriate to the risk.



  1. CNIL’s Guide for Processors in French and in English September 2017
  2. Cloud Contracts: Impacts of GDPR on Processors, 7-8-2017
  3. French GDPR Implementation Bill (Projet de loi relatif à la protection des données personnelles) Doc. Ass. nat. n° 490, 13-12-2017


Article provided by

Eric Le Quellenec, Lawyer, Head of the IT Advisory department Lexing Alain Bensoussan Avocats

Eric Le Quellenec is a lawyer in Paris (France). A specialist in new technologies, information technology and communications law, Eric Le Quellenec is the Head of the IT Advisory department, where he also provides litigation services. He holds a Master 2 in business law (DJCE) and studied at the University of Ottawa (Canada). Having a solid experience in GDPR, he is leading the compliance programme of worldwide automotive and agribusiness groups.

He is the exiting Vice-President of the Young Lawyers Association of Paris (Union des Jeunes Avocats de Paris – UJA), and previously chaired the new technologies and prospective commission of the French federation of young lawyers associations (Fédération des Unions des Jeunes Avocats de France - FNUJA). He has been appointed expert for the business and IT commissions of the French Bar Association (CNB).


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.