Personal data: how to fairly distribute the risk between customer and service provider?

‍Many SaaS providers are now faced with a recurring requirement during contractual negotiations: that of assuming the risk of administrative sanctions pronounced against their client responsible for processing, in the event of a breach of the RGPD. This request generally results in the removal of the liability limit for personal data breaches, or the establishment of a specific, very high ceiling. Is that reasonable? Is it legally justifiable? Nothing is less certain.

The GDPR is based on a clear principle: the data controller remains solely responsible for complying with his data processing obligations. The subcontractor, on the other hand, is responsible for its own shortcomings, in particular when acting outside of the documented instructions of the data controller. Article 82 of the GDPR deliberately distinguishes between the two types of liability: everyone is responsible for the damage they have caused.

Therefore, requiring a SaaS provider to compensate the customer for a penalty pronounced against him is tantamount to imposing responsibility that is disconnected from the facts and contrary to the logic of the GDPR. The reasoning is even less valid when the customer asks for this risk to be combined with unlimited liability.

The question of the insurability of financial penalties imposed by administrative authorities was reactivated in March 2025 by the ACPR, which recalled that these sanctions cannot be covered by insurance. Even if this reminder did not relate directly to the CNIL, it reaffirms a general principle: fines with a punitive nature are not insurable under French law.

In terms of the GDPR, the sanctions in Article 83 are also based on the conduct of the parties. The supervisory authorities take into account the role, the specific shortcomings and the cooperative or non-cooperative behaviour of each actor. In practice, when a data controller is sanctioned, it is most often because it has not sufficiently supervised its subcontractor, has not implemented adequate contractual and organizational measures, or has not reacted appropriately to the reported failures. It is generally these breaches that the CNIL sanctions, as governance failures. In other words, the penalty is linked to the client's own failure to implement its supervisory obligations.

This does not mean that the service provider is exempt from all responsibility: he may incur contractual liability, or even be subject to a direct sanction if he has failed to fulfill his own obligations as a subcontractor. But in this case, the penalty is aimed at the service provider directly, and not at the customer. There is therefore no need to make the service provider bear the fine imposed on the customer, since it actually sanctions a breach specific to the customer.

In theory, this does not exclude compensation or risk sharing clauses. But their legal effectiveness is uncertain, especially if they tend to make one party bear manifest fault on the part of the other. A court could refuse to apply such a clause if it violates the principles of contractual justice or if it offends public order. This does not mean that they should be excluded from the outset, but that they should remain strictly proportionate to the circumstances, role and actual fault of the provider.

SaaS providers have every interest in structuring their contractual position based on arguments that are both legal and operational, combining principles of responsibility and reinsurance levers:

- They are not insurers: their mission is to provide a compliant, secure and auditable service, but not to guarantee all of the client's obligations. When a customer chooses to outsource data processing, it is usually because they do not have the necessary resources, tools, or skills in-house. However, this does not mean that he can completely absolve himself of responsibility. It is legitimate for each party to assume its share of risk, according to its role and its level of intervention. Making a service provider bear all the risk without adjusting price or scope is neither equitable nor economically coherent.

‍

- Most service providers implement robust and auditable security measures, often in accordance with market reference standards (ISO 27001, SOC 2, etc.). These systems reflect a level of requirement that is rarely achieved internally without specific investments or dedicated resources.

‍

- They are open to transparency, by accepting audits, by responding to compliance questionnaires, and by offering reasonable contractual guarantees. These are all control mechanisms that they implement to reassure their customers.

‍

- In some cases, the data processed may be not very critical (anonymized, pseudonymized, non-sensitive) or the uses are very controlled. These elements must logically be taken into account in the risk analysis and the calibration of contractual commitments.

Finally, an essential point deserves to be emphasized: the level of contractual responsibility must remain proportionate to the value of the contract. It seems unreasonable, in equity as well as in law, to impose unlimited liability on a service provider for a contract of a few thousand euros per year, even though the risk is often shared and technically controlled.

Refusing unlimited liability is not the same as evading obligations. Service providers must be able to offer balanced alternatives: limited liability, commitment to reinforced resources, auditability, rapid incident notification, cooperation in the event of an investigation, etc.

For customers, the challenge is to secure their obligations as data controllers, without unreasonably transferring the consequences of their own choices or their internal governance.

Responsible negotiation means not confusing compliance obligations with results obligations, nor contractual liability and insurance coverage. It is in this fair distribution of roles and risks that a lasting relationship of trust between customer and service provider is built, in the service of effective and realistic compliance.Active collaboration between the parties, both before and after the contract, is often the best assurance of lasting compliance. A transparent exchange on the nature of the data processed, the guarantees put in place and the respective roles often leads to a balanced solution, to the benefit of both parties.

For any questions or support, do not hesitate to contact us by writing to cchance@squairlaw.com.

‍

Caroline Chancé, partner lawyer at Squair