German Podcast Episode #214: Rahuls Schlüsselerfolge als Senior IT Counsel seit 2010

Neha: Welcome to the first episode of our miniseries "Rahul's Key
Achievements as Senior IT Counsel since 2010". Today we discuss
your work ensuring full GDPR compliance by embedding data
protection clauses into vendor agreements. Rahul, you
specifically integrated clauses on data minimization, breach
notification, and more. Why is this so critical?  


Rahul: Thank you, Neha. A vivid example is the CNIL case in
France against Dedalus Biologie in 2022. Dedalus, a software
vendor, was fined €1.5 million because it had no GDPR-compliant
Data Processing Agreements (DPAs) with its laboratory clients
following a data breach. The contracts lacked the clauses
required by GDPR Article 28 on data minimization, security, and
breach reporting. This shows regulators penalize companies that
fail to flow down GDPR obligations to vendors.  


Neha: Fascinating – this underscores that proactive contract
drafting isn’t just a formality, but existential risk prevention.
Another precedent would be the British Airways fine by the UK ICO
in 2018, correct?  


Rahul: Exactly. The ICO not only criticized BA's response to the
breach but also noted BA had insufficient security safeguards in
vendor arrangements. This contributed to the £20 million fine.
Both cases prove: Embedding GDPR clauses in contracts is
essential to avoid liability – not mere formalism.  


Neha: Let’s delve into a specific case study you analyzed. You
mentioned "TechCo", a US tech company expanding into the
EU?  


Rahul: Correct. TechCo engaged a cloud service provider without a
proper DPA. When a breach occurred on the vendor’s servers,
contractual clauses requiring prompt notification were absent.
TechCo learned of the breach too late to meet GDPR’s 72-hour
notification deadline (Article 33). An EU regulator consequently
fined TechCo for violations of GDPR Articles 28 and
33.  


Neha: And this is where your approach comes in: Had you acted as
Counsel for TechCo, would your standard breach notification and
minimization clauses have taken effect?  


Rahul: Exactly. The vendor would have been contractually
obligated to inform TechCo immediately and implement strict data
protections. This would likely have prevented the delayed
notification – and possibly even the breach itself. Subsequently,
TechCo could have demonstrated to regulators that it had taken
appropriate contractual measures, potentially reducing
liability.  


Neha: So robust contracts function both as a "sword" to steer
vendor behavior and a "shield" to document compliance
efforts?  


Rahul: Precisely summarized. This personal case study I conducted
in my free time illustrates this dual purpose.  


Neha: Which legal frameworks and authorities are key
here?  


Rahul: Primarily the GDPR (EU) – especially Article 28 mandating
processing agreements with specific clauses, and Articles 33-34
on notification duties. Enforcement is by national Data
Protection Authorities like CNIL, ICO, or Italy’s Garante, which
sanctioned a company in 2023 for lacking a DPA with a call center
vendor. The European Data Protection Board (EDPB) issues
guidance, such as EDPB Guideline 07/2020 stressing both
controllers and processors must ensure a contract
exists.  


Neha: And in the US?  


Rahul: While no direct GDPR equivalent exists there, sectoral
laws like HIPAA for health data require similar agreements –
"Business Associate Agreements". The "data minimization"
principle originates from GDPR Article 5(1)(c), breach
notification from Article 33. The US Federal Trade Commission
(FTC) can also act if lacking vendor safeguards cause consumer
harm, as seen in an action against a mortgage analytics company.
My work ensures vendors are contractually bound to uphold these
principles and report incidents.  


Neha: A thorough overview – thank you, Rahul! Next episode: IT
contract design in the cloud era. Until then! 


** 


Read German text here:
https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?usp=sharing