I am not sure I agree with Renzo. Even in his example you are still receiving the penalty for your own failure under principle 7. Not for the processor's default. Is there not a general principle in contract that responsibility for compliance with the law cannot be assigned ?
As others have noted the processor's insurers may not be too happy with them giving an indemnity in such cases. In the event (possible under shared arrangements) that the processor is a public authority, giving such an indemnity is also quite possibly ultra vires.
I can see no problem with an indemnity clause covering any compensation awarded under s13 DPA but that is a different issue.
Finally whilst the ICO can only levy a MPN against the controller he is not powerless against a processor. In circumstances where a MPN is appropriate it is quite likely that the processor has committed a s55 offence e.g. recklessly disclosing personal data without the controller's consent.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|