GDPR headz - a q

you give your data to A

A outsources processing of that data to B

B is hacked

Vlad gets your national insurance number and hot passport pics and profits

A is still liable to you under GDPR right? B being shyt is no different from having a shyt computer programme inhouse?

If you have given consent for your data to be used by A and they outsource processing to B who then fumble it, A is left holding the ball. 

It's typical for widescale IT data contracts to have back to back data loss / breach liabilities across the entire data chain for just this reason.

chz this is what I thought seemed most intuitive

but why is everyone suing Capita instead of their own pension provider?

(I can see why one might not want to beggar one's own pension provider but surely the legal link is with the pension provider)

If I am company A and I have done and documented my dull diligence to ensure that B is a good processor, and I have my SOC reports etc and it's clear that the breach is as a result of B's negligence than I have a pretty solid defence and in those circumstances it's arguable I am not responsible for the breach. 

As a data subject, I can tackle whoever I want to in the data chain where there has been a breach, and it's just that it's the most common that it's company A people go after. 

I don't know the circumstances for this matter as I haven't read up on it but I would assume that the largescale pension providers have robust DD in place / as you say, people don't want to devalue their own pensions by suing the shit out of their provider.  

I think I am happy to destroy the pension provider as the pension fund is only going to pay me about one groat a decade anyway

hang on tho

I thought there was some element of liability here even if the provider did take reasonable steps - i.e. if your data is lost to the dark web it is lost to the dark web and you should be compensated based on that outcome

or could they reduce the comp to nil?

I'm not saying there is no liability and I don't think in reality I could actually argue away my liability by virtue of having conducted good DD in place but to get to that point, someone has to spend money to test my defences.

My guess is that the reason people are going for Capita is the same reason most people focus on a single party where there has been a chain of failure - I want to extract the most amount of money possible through the easiest route and at the lowest cost.

In this case if I can sue anyone in the chain and company A has a lot of evidence that they did "the right thing" and it will take a lot of time and effort to unpick but company B doesn't, I am going to avoid that fight with company A.

Rule of the savannah. I try to gank the bison who is weak instead of the one with defences ready. 

You need to distinguish between regulatory fines and liability to you in an individual claim.

from a regulatory perspective, b could be liable if they failed to comply with their obligations as a processor (many of the obligations are silent on who is responsible or specifically refer to controller and processor).

A could avoid regulatory sanction if they complied with their obligations in relation to data processors (which likely would require them to audit/verify the processors technical and organisational security measures in place).

I don't see how this would avoid A's responsibility to you as a data subject in a court action, however.