AAU Student Projects is unavailable between June 15th 1.30pm and 17th 1.30pm due to planned system maintenance. The projects cannot be downloaded during this period.
AAU Student Projects - visit Aalborg University's student projects portal
A master's thesis from Aalborg University
Book cover


Cyber Attacks in the Context of IT Development Contracts: How "Data Protection by Design" Affects the Supplier's Obligations Toward the Customer

Translated title

Cyberangrep og IT-tilvirkningskontrakter: Hvordan "Data Protection by Design" påvirker Leverandørens forpliktelser overfor kunden

Author

Term

4. term

Education

Laws, Master

Publication year

2026

Submitted on

Pages

64

Abstract

This thesis examines how Data Protection by Design (DPbD) under GDPR Article 25(1) shapes IT suppliers’ obligations in bespoke development contracts, and whether it should function as a negligence standard for assessing the supplier’s professional duty of care. Using a legal-dogmatic approach, it analyses the substance of the DPbD requirement and its interplay with Recital 78, and considers the normative relevance of EU instruments such as EDPB Guidelines 4/2019, the Cyber Resilience Act, and the NIS2 Directive, as well as technical and sectoral norms like Good IT Practice. The study is limited to obligations in IT development contracts and does not address issues of economic loss, causation, or the precise extent of liability. The analysis suggests that, although addressed to controllers, Article 25(1) carries significant normative implications for suppliers: the state-of-the-art criterion, read with Recital 78, indicates DPbD is consolidating into a professional standard, supported by the supplier’s duty of loyalty. It further indicates that the K02 (Denmark) and SSA-T (Norway) standard forms may not adequately operationalize DPbD at the supplier level, creating a normative gap between GDPR and contractual frameworks that affects enforceability across the supply chain.

Specialet undersøger, hvordan Data Protection by Design (DPbD) efter GDPR artikel 25, stk. 1 påvirker IT-leverandørers forpligtelser i tilvirknings- og udviklingskontrakter, herunder om bestemmelsen bør fungere som en uagtsomhedsstandard (culpanorm) ved bedømmelsen af leverandørens professionelle omhu. Med en retsdogmatisk tilgang analyseres DPbD-kravets indhold og dets samspil med fortalen (især præambel 78), og den normative relevans af EU-instrumenter som EDPB Retningslinjer 4/2019, Cyber Resilience Act og NIS2 samt tekniske og faglige standarder som God it-skik inddrages. Specialet er afgrænset til forpligtelser i IT-udviklingskontrakter og omfatter ikke spørgsmål om økonomisk tab, årsagsforbindelse eller ansvarets præcise omfang. Analysen peger på, at artikel 25, stk. 1, selv om den retter sig mod dataansvarlige, har væsentlige normative implikationer for leverandørers aktsomhedsniveau: kravet om state of the art, læst sammen med præambel 78, tyder på, at DPbD gradvist konsolideres som professionel standard, understøttet af leverandørens loyalitetspligt. Endvidere synes standardkontrakterne K02 (DK) og SSA-T (NO) ikke fuldt ud at operationalisere DPbD på leverandørniveau, hvilket kan skabe et normativt tomrum mellem GDPR og kontraktgrundlaget med betydning for håndhævelse i forsyningskæden.

[This apstract has been generated with the help of AI directly from the project full text]

Documents

Download PDF
View record in AAU Student Projects