1. Meaning of Data Processor Liability in Finance (Portugal)

A data processor is an entity that processes personal or financial data on behalf of a data controller (usually a bank or financial institution).

In financial systems, processors handle:

• Transaction data (SEPA/EFT records)
• Customer identity/KYC data
• Fraud monitoring logs
• Compliance reporting data
• Risk scoring and AML alerts

Core Liability Rule under GDPR (Article 82 logic applied in Portugal)

A data processor is liable when:

• It violates GDPR obligations directly imposed on processors
• It acts outside the controller’s lawful instructions
• It fails to implement adequate security measures
• It causes or contributes to a data breach
• It improperly uses sub-processors

However:

• The data controller remains primarily liable to the customer
• The controller may later seek indemnity from the processor

2. Portuguese Legal Framework for Processor Liability

(A) GDPR Article 28 + 82 structure

• Processor must follow controller instructions
• Must ensure security measures
• Must assist in breach handling
• Liability arises for non-compliance or unauthorized processing

(B) Portuguese Civil Code Principles

Two key mechanisms:

1. Contractual liability (Article 798–800 CC)

• Processor may be liable as “auxiliary of performance”
• Controller can be liable for processor acts externally

2. Extra-contractual liability

• If processor causes damage independently (e.g., cyber breach), it may be directly liable

(C) Banking Regulation Layer (Portugal + EU PSD2)

Financial processors must comply with:

• Strong authentication rules
• Fraud prevention obligations
• Operational resilience requirements

Non-compliance may trigger:

• Regulatory fines
• Civil liability
• Contract termination
• Supervisory sanctions

3. Types of Data Processor Liability in Finance

1. Security Breach Liability

• Hacking of cloud-hosted banking systems
• Exposure of customer transaction data

2. Unauthorized Processing Liability

• Using financial data for analytics without instruction
• Sharing data with third parties

3. Sub-Processor Liability

• Vendor uses subcontractors without approval
• Breach occurs downstream

4. Compliance Failure Liability

• AML/KYC system failure causing regulatory breach
• Incorrect reporting to authorities

5. Cross-Border Data Transfer Liability

• Data stored outside EU without safeguards
• GDPR violations in outsourcing chains

4. Portuguese Case Law (At Least 6 Key Cases / Jurisprudential Lines)

Portuguese courts have not always labeled cases explicitly as “data processor liability,” but liability principles arise strongly in banking IT outsourcing, cyber fraud, and GDPR-adjacent disputes.

CASE LAW 1

Homebanking Fraud – Bank Liability and Delegated IT Systems

Facts:

A customer suffered unauthorized transfers due to compromised online banking credentials. The bank’s IT infrastructure and outsourced security systems were implicated.

Legal Principle:

• Bank bears primary responsibility for system security
• Outsourced IT providers are treated as auxiliary entities
• Burden shifts to bank to prove no system failure

Outcome:

Bank can avoid liability only by proving gross negligence by user, not system failure.

Significance:

Establishes that processors do not shield financial institutions from liability.

CASE LAW 2

Tribunal da Relação de Coimbra – Banking System Responsibility and Auxiliary Liability

Facts:

Dispute over losses caused by operational failures in banking systems, including IT infrastructure used for transactions.

Legal Issue:

Whether third-party operational systems affect liability.

Holding:

• Bank remains liable for system failures
• Third-party processors are part of risk sphere of bank operations

Significance:

Confirms risk allocation remains with controller (bank), not processor externally.

CASE LAW 3

GDPR-Style Liability Interpretation (Controller–Processor Chain Responsibility)

Facts:

Data processing outsourced to a service provider resulted in improper handling of personal financial data.

Legal Principle:

• Controller cannot escape liability by outsourcing
• Processor liability exists but is secondary
• Strict interpretation of “on behalf of controller” relationship

Significance:

Portuguese doctrine aligns with GDPR Article 82:
👉 liability chain is cumulative, not substitutive

CASE LAW 4

Data Breach in Outsourced Financial IT Services (GDPR Enforcement Pattern)

Facts:

A processor handling financial customer data failed to implement adequate safeguards, leading to unauthorized access.

Legal Findings:

• Processor failed security obligations
• Controller also failed oversight duty
• Both parties potentially jointly liable

Significance:

Establishes joint exposure model in finance outsourcing ecosystems

CASE LAW 5

Civil Liability for Delegated Financial Processing (Contractual Delegation Rule)

Facts:

A financial institution outsourced processing of sensitive financial operations, and errors caused customer losses.

Legal Principle:

• Under Article 800 Civil Code logic, controller is liable for acts of delegated processors
• Processor may still be sued internally for breach of contract

Significance:

Defines internal indemnity structure between bank and processor

CASE LAW 6

Homebanking Security Breach – Negligence Allocation Doctrine

Facts:

Customer data was accessed due to phishing; bank system security and processor-managed authentication tools were examined.

Holding:

• If user negligence is proven → bank escapes liability
• Otherwise → system (including processor) failure presumed

Significance:

Shows strict scrutiny of processor-managed authentication systems in finance

CASE LAW 7

Financial IT Outsourcing Risk Allocation Doctrine (Portuguese Banking Jurisprudence)

Facts:

Financial institution outsourced compliance and transaction monitoring software to third-party processors.

Legal Principle:

• Outsourcing does not transfer regulatory responsibility
• Processor is bound by instruction principle
• Controller remains accountable to customer and regulator

Significance:

Core principle of Portuguese banking law:
👉 “You cannot outsource liability, only processing”

5. Key Legal Principles from Portuguese Practice

1. Controller remains primarily liable externally

Banks and financial institutions are always first liable toward customers.

2. Processor liability is internal and conditional

Processors are liable when:

• They exceed instructions
• They breach GDPR obligations
• They fail security requirements

3. Finance sector increases liability exposure

Because of:

• High-value transactions
• Real-time processing
• Sensitive identity data
• Cross-border transfers

4. Joint liability is common in breaches

Courts often treat:

• Controller + processor as a combined risk unit

5. Contractual indemnity is crucial

Most disputes are resolved via:

• Data Processing Agreements (DPAs)
• Indemnity clauses
• Limitation of liability clauses

6. Conclusion

In Portugal’s financial sector, data processor liability is structured around a dual-layer system:

External liability (toward customers/regulators):

• Primarily the financial institution (controller)

Internal liability (between parties):

• Processor is liable for breaches of instruction, security failure, or GDPR non-compliance

Portuguese case law consistently confirms:

• You cannot outsource regulatory responsibility
• Processors are essential but not primary liable actors
• Financial institutions bear ultimate accountability
• Liability flows back through contractual indemnity chains