The recent reform of the Federal German Data Protection Act (BDSG) has brought about significant changes to the requirements data processing agreements must meet in order for transfers between controllers and processors to benefit from the data processor privilege enshrined in Sec. 11 of the BDSG.
According to the revised provisions, data processing agreements must now specify in detail (1) the subject matter and term as well as (2) scope, type, and purpose of the data processing, including the type of data and the affected individuals, (3) the technical and organizational security measures adopted by the processor, (4) obligations to correct, erase, and block the data, (5) control obligations of the processor, (6) permissibility of subcontracting, (7) audit rights of the controller, (8) data breach notification obligations, (9) allowed instructions by the controller, and (10) return of storage media and deletion of the data.
As a consequence of this heavily extended minimum content, all existing data processing agreements will need to be revised and adapted to the new requirements. For this purpose, several “model clauses” are publicly available. Inter alia, the DPA of the German
Bundesland Hessen
, has published respective clauses, which are available (in German) on their Web site (
). Also the German Association for Data Protection and Data Security (GDD) has issued a draft data processing agreement in German (
). Finally, the Federal Association for Information Technology, Telecommunications, and New Media (Bitkom) has crafted a bilingual draft (
).
Processors and controllers must bear in mind, however, that all these model clauses require adaption to the specific situation. In particular, all model clauses contain appendices—comparable to the EC model clauses for data transfers to data processors—which have to be completed with specific information.
