Data PrivacyCan Badly Drafted Contracts Lead to Imposition of Fines Under Data Privacy Regime in GDPR?

July 10, 20240

Case Study under GDPR


Data protection has become a crucial aspect of corporate governance, with stringent regulations being enforced worldwide to protect personal data. Inadequate data protection in contractual agreements can lead to severe consequences, including hefty fines, reputational damage, and legal liabilities. This case study examines a real-world scenario where a company faced significant fines due to insufficient data protection measures in its contracts.

As businesses handle vast amounts of personal and sensitive data, the need for robust data protection measures within contracts has intensified.

Failure to implement adequate data protection provisions can lead to severe financial penalties, damaging reputations, and legal repercussions. Recent instances of heavy fines imposed on organizations due to inadequate data protection in contracts highlight the critical necessity for stringent compliance with data protection laws and regulations.

This trend underscores the imperative for companies to prioritize data security and privacy, ensuring that their contractual agreements meet the highest standards of data protection to avoid substantial penalties.

The consequences of not addressing data privacy and protection adequately in contracts can be severe.

Below are five significant cases where organizations faced heavy fines due to inadequate contracts regarding data processing and privacy.

1. British Airways (2019) – GDPR Violation

British Airways was fined £20 million by the Information Commissioner’s Office (“ICO”) in the UK for failing to protect the personal data of approximately 500,000 customers. The ICO through its statement dated 08.07.2019, initially intended to fine the company £183.39 million. The breach was due to poor security arrangements that led to users’ data being diverted to a fraudulent site.

Contractual Failings:

  • Insufficient contractual clauses regarding data security measures.
  • Lack of explicit agreements with third-party vendors handling customer data.

Key Learnings:

  • Ensure comprehensive security measures are outlined in contracts.
  • Regularly audit and monitor third-party vendors and review the implemented security measures.

2. Marriott International (2020) – GDPR Violation

Marriott International was fined £18.4 million by the ICO for failing to protect the personal data of 339 million guests. The breach was a result of inadequate security measures after acquiring Starwood Hotels, whose guest reservation database had been compromised.

Contractual Failings:

  • Insufficient due diligence and lack of integration of data protection protocols post-acquisition.
  • Inadequate contractual provisions for data security and breach response.

Key Learnings:

  • Conduct thorough due diligence during mergers and acquisitions.
  • Integrate robust data protection measures immediately after acquisition.

3. Google LLC (2019) – GDPR Violation

The French data protection authority, Commission Nationale De L’informatique Et Des Libertés (“CNIL”), fined Google €50 million for failing to provide transparent and easily accessible information about its data consent policies. The violation stemmed from insufficiently clear contractual clauses about data processing consent.

Contractual Failings:

  • Lack of clear and concise language in user agreements regarding data processing and consent.
  • Failure to provide users with straightforward ways to exercise their data protection rights.

Key Learnings:

  • Ensure user agreements are transparent and easily understandable.
  • Clearly outline data processing activities and consent mechanisms.

4. Equifax (2017) – FTC and Global Penalties

Equifax faced fines totaling over $700 million due to a data breach that affected 147 million people. The breach was primarily due to the failure to patch a known vulnerability and inadequate data protection measures. Subsequently, Equifax agreed to pay at least $575 million as a part of the global settlement with the Federal Trade Commission (“FTC”), the Consumer Financial Protection Bureau (“CFPB”) and 50 states and territories of the United States.

Contractual Failings:

  • Lack of contractual requirements for regular security updates and vulnerability assessments.
  • Inadequate agreements with third-party security vendors.

Key Learnings:

  • Include explicit requirements for regular security updates and assessments in contracts.
  • Ensure third-party vendors adhere to stringent security standards.

5. Uber Technologies Inc. (2017 and 2018) – FTC Settlement and Various Fines

Uber was fined $148 million across 50 U.S. states for failing to notify regulators and users about two data breaches that exposed the personal information of 57 million users and drivers. The breaches were initially concealed and not reported promptly.

Contractual Failings:

  • Inadequate breach notification clauses in contracts with data processors.
  • Lack of clear contractual obligations for incident response and reporting.

Key Learnings:

  • Include detailed breach notification and incident response procedures in contracts.
  • Ensure all parties understand their obligations regarding data breach reporting.


These cases highlight the critical importance of incorporating comprehensive data protection measures into contractual agreements. Organizations must ensure their contracts explicitly address data security, breach notification, third-party vendor management, and user consent mechanisms.

The same will be the fate under the Digital Personal Data Protection Act,2023(DPDPA) if the contracts fail to make reasonable efforts to cover the loopholes in the contracts as discussed above, then hefty penalties cannot be ruled out.

In conclusion, the imposition of heavy fines for inadequate data protection in contracts serves as a stark reminder of the critical importance of safeguarding personal and sensitive information. Businesses must recognize the significant legal and financial risks associated with non-compliance and take proactive steps to enhance their data protection measures.

This includes meticulously drafting contracts that incorporate stringent data security provisions, staying abreast of evolving data protection regulations, and fostering a culture of privacy within their organizations. By prioritizing data protection, companies can not only avoid substantial fines but also build trust with their stakeholders and uphold their reputations in an increasingly data-driven world.

For any queries or feedback feel free to connect to or or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.