Can a subcontractor held "hostage" data because of default of payment

Hello everyone,

I’m actually in a situation where I’m reviewing a subcontractor contract, regarding the supply of a cloud software. In this contract, there is this paragraph :

In all cases where this Contract is terminated and provided that the Customer has paid the full amounts due to the Supplier, the Supplier will make available to the Customer for download, for a period of fifteen (15) days at from the effective date of termination or expiration of the contract, a file in Excel format containing all of the Customer’s Data.

As far as I know, the subcontractor must delete or give back all personal data at the termination of the service (Art 28 $3g), but that kind of situation is not taken into account.

There might be some national laws governing this matter and I’m waiting for the answer of the legal department, but I was wondering what is your tought about that kind of clause ?

What specifically are your concerns with that clause? That Supplier is not forced to perform work without compensation? That deletion is not discussed? That Excel is not an appropriate format?

This looks potentially OK from the GDPR perspective, assuming that Customer Data might include personal data. Of course, that clause means that Customer as a data controller might not be able to be fully GDPR-compliant without paying the full amounts, which will become a larger problem if Customer goes bankrupt. It would be vastly preferable for the Customer if access is unconditional and possible at any time, without the data being held hostage. For example, the service of making the data available for download for 15 days could be pre-paid so that it would not be impacted by potential outstanding bills for other services.

Another option to avoid potential issues is for Customer to never rely exclusively on the Supplier, and to immediately back up any data so that later download would be unnecessary. Of course, that is not an option for many more interesting cloud services.

I should have given more context. ^^

My concern is that the Customer here is a group of subsidized organization, which doesn’t have any other source of income that these subsidies. So the scenario of one organization running out of money is to consider. Furthermore, the loss of access to these personal data can have an important, even critical impact on the concerned person.

I totally understand the need for a company to have a leverage if it’s not paid, but if this situation occur, it may go beyond just GDPR compliance and actually harm people. Our legal department is studying the case, but I was wondering if in that context, we can argue that this clause is not GDPR compliant and should be removed. :slight_smile:

And as you foresaw, no, the user-side download of the data is not an option in the software, and it would be difficult to not rely exclusively on the supplier, as it would need 2 times the work for the already limited resources.

I think that this clause is likely not GDPR compliant. As you mentioned, as stipulated in Art. 28(3)(g) GDPR, the contract governing the contract should include “at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;”

This effectively means that when the provision of the cloud service ends, the controller has either a choice or this choice can already be made by specifying it in the contract. Take a look at EDPB Guidelines 07/2020 para. 1.3.7.

The requirement that the controller has paid the full amounts due to the Supplier effectively undermines the concept of Art. 28(3)(g) GDPR, which aims to ensure that the personal data are subject to appropriate protection after the end of the“provision of services related to the processing”.

You mention that the scenario of the controller losing funds to pay for the cloud service is a scenario that must be taken account, considering this it would be even more important to remove the requirement. E.g. if the company cannot pay anymore, effectively goes bankrupt, will the processor then just keep the personal data for an undefined period because you haven’t paid?

There are other legal means available for the processor to seek remedy and seek the amounts due; taking personal data hostage is not the way.

1 Like

It’s an interesting clause and I can see arguments for it being both compliant and non-complaint. I would note though that the clause doesn’t relate to deletion, only provision of the data in a particular way, so I think the clause is probably fine if the agreement also requires the vendor to delete the data on request. At a push, even if a deletion provision isn’t included, there is likely an argument the agreement is compliant in any case if it requires vendor to only process data in accordance with the instructions of the controller (processor in this case), as the vendor could simply be instructed to delete the data on termination.

On the other hand, I do agree with Hugo that this type of clause does raise questions. It suggests to me (even if the contract doesn’t say it), that the vendor intends to retain the data after termination whatever happens, and I don’t see any good reason to do that unless requested to by the customer (eg so the data can be transferred to another vendor in the near future). That has risks for the customer if a regulator considers the customer to still be responsible for that data post termination, but also for the vendor if a regulator decides the vendor has actually become a controller post termination.

Overall it seems like a murky area. I also understand the vendors concerns, but this doesn’t seem to be the right way to address them. It’s probably better to address it in the services schedule or whatever provisions address the obligation to perform the services, rather than in the DPA


As usual, you provide great insight on topics that are off the beaten track.

This reassures me to have raised this point with my colleagues in view of your answers, and have now some additional arguments (for and against) during potential negotiations with this subcontractor. And if we come to that, I will strongly insist on the modification of that clause, because beyond the GDPR aspect, the unavailability of these data can have a significant, even critical impact on people.

FAQ | Privacy Policy |  ToS