Suppose a company provided a service, had a computer issue and as a result one of their customers suffered a loss. Are there circumstances that a failure in the documentation required by GDPR could affect whether this failure results in civil damages?
The example I am thinking about is the current problems with Falcon Sensor from CrowdStrike. It seems this is a US company, training an AI on network data, including medical records, and potentially sending it to the US (Cloudstrike are on the UK Data Privacy Framework List. I do not know any details (I have asked about what is transfered on security.SE), but with the combination of special category data, Article 45 International data transfers, a regime that is less than one year old, lowest bid government IT projects, overworked GP practices, and missed appointments there seems to be plenty of room for both errors and costly harm.
Looking at this answer which discusses limitations to liability could be relevant:
Waivers are liability of ordinary negligence, or for strict liability in tort, are normally effective. Waivers of liability for intentional conduct or conduct that is carried out in bad faith (e.g. if the software company deliberately tried to sabotage your company) are not valid.
What influence could GDPR breaches have on an organisations liability in this sort of case? Could perhaps such a GDPR breach cause liability waivers to be invalid?
