The German data protection law was revised in 2009 and obliges parties to data processing agreements to include into their contracts clauses on breach notifications, audit rights, subcontracting, and a couple of other aspects.
Nonconforming contracts can trigger administrative fines of up to €50,000. Agreements already in place should be reviewed and policies implemented to ensure the compliance of future contracts.
Which contractual relationships are affected?
Any agreement under which a third-party is storing, using, or otherwise processing personal data for your company must meet the new requirements, in particular if entered into, renewed, or amended after September 1, 2009. These so-called controller-processor relationships (
Auftragsdatenverarbeitungs-Verhältnisse
) exist if a service provider is processing personal data for and on behalf of your company or has access to your data.
Personal data means any information that can be linked to an individual, for example, shipping addresses or purchase histories of your customers, contact information of business partners, or employee data such as name, position, curriculum vitae, or salary.
The new rules also cover intra-group situations, for example, if a parent company is operating a centralized customer database or a human resources information system that stores customer data or employee data of its subsidiaries.
Examples of possibly affected relationships are:
- service agreements with payroll processors or archiving service providers
- agreements with call
- centers or direct marketing service providers (mailings, newsletter delivery, lettershops)
- contracts with companies hosting human resources information systems (HRIS) or customer relationship management (CRM) tools
- agreements with external auditors or maintenance service providers
- other agreements on the provision of IT resources (e.g. application service providing, cloud computing, software as a service, Web site hosting, online storage).
These controller-processor relationships have to be distinguished from situations in which a company has not merely outsourced the data processing but an entire function (e.g. the customer care department). These cases are referred to as controller-controller relationships [
Funktionsübertragungen
] and subject to different and even stricter data protection regulations. The distinction between controller-processor and controller-controller relationships is difficult and must be made on a case-by-case analysis.
What does the new law require?
The old law, which was in force until August 31, 2009, already contained basic requirements for controller-processor agreements. These have now been extended and detailed.
Since September 1, 2009, parties must set forth in a written agreement, in particular:
- the scope of the personal data processed by the provider and the way in and the purpose for which data is collected, used, and processed by the processor
- the controller's rights to give instructions to the data processor
- technical and organizational measures to be implemented by the processor to ensure data security
- correction, deletion, and locking of data by the data processor
- processor's right to subcontract or outsource parts of the processing
- processor's obligations to appoint a data protection officer and to oblige its employees in writing on the data secrecy
- audit rights of the controller
- processor's data breach notification obligations
- the procedure of return and deletion of data at the end of the contract.
The controller is fully responsible for the lawfulness of the data processing by the processor and compliance with these mandatory contractual provisions. Also, the German Federal Data Protection Act (
Bundesdatenschutzgesetz
) expressly states that controllers must diligently select processors, taking into account the technical and organizational security measures implemented by the controller. Controllers must also audit processors regularly and record the results.
If the data processor is established outside the European Economic Area (EEA), additional measures have to be met in order to ensure an "adequate level of data protection" at the processor. To accomplish this, many companies use the "EU model clauses for the transfer of personal data to processors established in third countries." Unfortunately, these model clauses do not fully cover the new strict requirements of the German law. For example, the model clauses contain only vague data breach notification obligations. Therefore, if data processors outside the EEA process business critical data, the model clauses should be accompanied by additional contractual provisions.
What are possible sanctions and how likely are they?
Data protection authorities can impose administrative fines of up to €50,000 on companies having insufficient controller-processor agreements. In case of a data breach at the data processor, the data controller can become subject to damage claims of concerned individuals. Further, data protection officers negligently failing to implement the new rules could become liable vis-à-vis their company.
Controller-processor agreements are usually not audited by data protection authorities without reason, but upon a complaint by an individual, authorities start investigations and in this course can ask companies to provide applicable agreements. Investigations can also be initiated in case of a data breach. Since the German legislature has recently introduced breach notification obligations, privacy violations are more likely to come to the attention of authorities.
Recommended steps
Short term:
- Identify all situations where your company is a data controller in a controller-processor relationship and rank these relationships using the following criteria: (i) amount of data (ii) sensitivity of the data (iii) business relevance of the data, and (iv) status of the processor (group company, establishment within or outside the EEA, results of prior audits)
- Review business-critical agreements and amend where necessary
Midterm:
- Implementation of internal policies, templates, and checklists to ensure that future agreements are compliant
- Implement procedures to regularly audit processors
- Update old agreements stepwise (e.g. upon contract renewals)
