Processing of personal data by a service provider : beware of the risks of contract cancellation.

The failure of an IT service provider to comply with certain legal requirements regarding the processing of personal data may result in the nullity of the contract. To avoid this risk, particular attention must be paid to the preparation and drafting of the contract, but also to its rigorous application.

Two recent decisions of French Courts of Appeal have just illustrated the relationship between computer contracts and the regulations relating to personal data.

These cases concern a contract for an IT service : on the one hand, a subscription contract for a health software and, on the other hand, the development and provision of a website.

In both cases, the service provider omits an essential pre-contractual aspect: in the first case, to respect a specific requirement relating to the hosting of personal data relating to health, in the second, to provide information that is decisive for the conclusion of the contract.

Nullity of the contract if the health data host is not approved

The software used in the first case[1] allowed for the electronic transmission of health care forms to mutual insurance companies.

As this was personal data relating to health, the hosting of this data by the software publisher required the publisher to be accredited to host health data (HDS Health data hosting)[2][3].

However, the software publisher did not have this HDS approval.

On appeal, the Court ruled that the software publisher was required to provide the contractor with hosting services complying with the public policy provisions protecting personal data relating to health.

Failing respect of this requirement, the Court of Appeal confirms the nullity of the contract.

Nullity of the contract for lack of essential pre-contractual information

The decision of the Court of Appeal of Grenoble[4] concerned a contract for the creation, installation and maintenance of a website.

In practice, the website provided to the client collected data relating to visitors. A bailiff noted the existence of cookies (notably from third parties) for performance and statistical analysis purposes, to propose targeted content and analyse the performance of advertising campaigns. If the legal requirements are not respected, these cookies are illegal.

However, the contract provided for the client’s liability with regard to the regulations concerning personal data.

Judges considered that the customer should have been informed of the existence of software allowing the installation of cookies, this information being considered as determining with regard to the civil liability incurred by the customer.

In the absence of this information, the judges cancelled the contract for error on an essential quality of the website provided.

The Court of Appeal therefore confirms the nullity of the contract and orders the publisher to reimburse the total amount of the subscription paid.

Consequences of the nullity 

In both cases, the retroactive nullity of the contract leads to a reinstatement of the contract.

However, while the Grenoble Court of Appeal (website) condemns the service provider to reimburse the entire amount paid, the Nîmes Court of Appeal (health data hosting) holds that the client had the benefit of using the software for 48 months. The court therefore decides to award the publisher an indemnity corresponding to the amount of the subscription for the number of months of effective use of the software.

Particular attention must therefore be paid in the contractualization with the IT service providers:

– before signing the contract, by obtaining complete information on the detailed operation of the software or service and the personal data processing carried out,

– in the contract, in particular by inserting detailed guarantees concerning the processing or not of personal data.

– and during the execution of the contract, in order to verify that the service (or the right granted) complies with the content of the initial contract and that the service provider complies with the legal requirements[5].

[1] Nîmes Court of Appeal 15/12/2022

[2] Art L 1111-8 du Public Health Code

[3] Replaced by the HDS certification. 

[4] Grenoble Court of Appeal 12/01/2023     

[5] The CNIL recently sanctioned a data controller for « not having followed the execution of instructions by its processor and not having exercised a satisfactory and regular control (…) on the technical and organizational measures implemented by its processor (…) in particular to ensure the anonymization and security of the data ».

Published by

Franck Delamer

Senior Associate
Data Protection Officer