Law Firm Dr. Thomas Helbing - Newsletter Data Protection and Privacy Law in Germany (in English)

Analysis: Data Protection Authority: Use of Non-EU Cloud might violate German Data Protection Law

admin — Sun, 13 Mar 2011 12:20:24 +0000

by Dr. Thomas Helbing

The Data Protection Authority for the German federal state of Schleswig-Holstein ("Unabhängiges Landeszentrum für Datenschutz - ULD", the "DPA") has published in June 2010 a paper about cloud computing under German data protection law. The most doubtful statement is that the usage of clouds outside the EU might be in violation of German data protection law.

In this analysis I give an overview over some statements of the paper, explain the legal background and analyze the DPA's position.

Controller Processor Relationship

According to the DPA, the relationship between a cloud provider and a cloud user is, from a technical point of view, usually a controller-processor relationship. From this understanding the DPA draws the following conclusions:

The cloud user is responsible to ensure the integrity and confidentiality of personal data stored in the cloud (e.g. employee or customer data). The DPA holds the view that in order to fulfill this obligation the cloud provider has to make transparent how and where data is processed in the cloud and describe the security measures that have been implemented. The provider of a public cloud must accordingly inform the cloud user about the legal entities operating the cloud and the locations of the data processing facilities.

As a data controller, the cloud user must be able to audit the security measures and give instructions to the cloud user in relation to the data processing. The DPA understands that these requirements are hardly feasible in a cloud scenario and seems to accept this under certain conditions:

The cloud provider must give a comprehensive self-obligation to comply with specific data security measures.

The audit obligation of the cloud user must be fulfilled by an independent and competent third party. The cloud provider must contractually accept audits by third parties or provide sufficient certifications. According to the DPA, the cloud provider must make available the protocol data of the data processing to the extent required for the audits.

As compensation for the cloud user not being able to give detailed instructions to the cloud provider, the cloud provider must offer different options to the cloud user, e.g. with regard to the use of resources or locations of data protection facilities (EU clouds) or with regard to security levels.

Non EU/EEA-Clouds

The DPA paper also deals with cloud providers established in countries outside the European Union and European Economic Area (EEA). In this context, it is important to keep in mind that in such a scenario - from a data protection viewpoint - a two-step test is conducted. First, the transfer of personal data into the cloud and the processing in the cloud must have a legal basis. Secondly, an adequate level of data protection must be ensured at the cloud location outside the EU/EEA. Safe Harbor, Binding Corporate Rules and the EU standard contractual clauses are mainly relevant on the second step of this test. In fact, the use of standard contractual clauses or a Safe Harbor certification as such does not suffice to make the use of cloud services lawful. Unfortunately, many authors and the DPA in its paper do not always clearly distinguish these two basic steps.

According to the definitions in section 3 para. 8 of the German Federal Data Protection Act (FDPA) [Bundesdatenschutzgesetz - BDSG] the making available of personal data by a controller to a processor is not considered as a "data transfer" if certain requirements have been met, among others, the controller and processor have entered into a written agreement that fulfills certain requirements listed in section 11 FDPA. The consequence of this controller-processor privilege is that no legal basis for passing personal data to a processor is needed. However, the DPA has made clear that this privilege does not apply if the cloud provider is located in a country outside the EU/EEA.

The DPA argues that the transfer of personal data to and the processing of such data in a non-EU/EEA cloud can not be justified. The only provision that might be able to create a legal basis for the data transfer into the cloud is - in the view of the DPA - the balance of interest clause in section 28 para. 1 no. 2 FDPA. The DPA argues that the cloud user has no legitimate interest to transfer personal data to a non-EU/EEA cloud provider because the cloud user could make use of EU/EEA based clouds.

Later, the DPA explains, that a solution to justify the use of non-EU/EEA clouds would be to apply the privilege of section 11 FDPA analogously (mutatis mutandis) to data processors outside the EU/EEA. As a precondition for such analogy, the cloud provider and cloud user had to enter into an agreement with the EU standard clauses for controller-processor transfers. In addition, the cloud computing agreement had to comply with the requirements of section 11 FDPA. The DPA stresses that the mere self-certification of a cloud provider under the Safe Harbor regime or SAS-70-Type II Certification do not suffice.

Analysis and Critics

The statements of the DPA on audits and data security are helpful and give guidance. However, the statements on the legitimacy of non-EU/EEA Clouds are extremely doubtful and general.

The view that the privilege of section 11 FDPA is not applicable to data processors outside the EU/EEA is in line with the wording of the FDPA. However, it should be mentioned that there are at least some authors who support the opinion mentioned by the DPA that the privilege can be applied mutatis mutandis to processors outside the EU/EEA if the contract includes the EU standard contractual causes and - in addition - satisfies the requirements of section 11 FDPA. From the paper, however, it remains unclear if the DPA is willing to follow this approach.

Further, it can not be argued that there is in general no legal basis for data transfers to non-EU/EEA clouds. In particular, the argument that the cloud user has no legitimate interest in using such clouds is not valid. If one accepted this argument any offshore outsourcing of personal data - a common practice since many years - would be unlawful in most cases. This is in clear contradiction to the EU decision on standard contractual clauses for controller-processor transfers, since there would be de facto no room for the application of these clauses. Also, it can not be said that cloud users always have the choice to opt for a EU-based service, since many major cloud service providers are based in the US.

The paper is also in other parts very general and vague. For example, although it describes the different types of clouds (public/private) and services (Software as a Service, Platform as a Service, Infrastructure as a Service) in the introduction, in the following paper, the DPA does not distinguish between these different scenarios. In my opinion, the paper in many respect creates more uncertainty than providing clarification.

Recommendations

One can draw some recommendations from the paper: German users of non-EU/EEA clouds should make sure that their cloud agreements include both the EU standard contractual clauses and comply with section 11 of the FDPA. In addition, the parties should give specific attention to the description of the locations of data processing facilities and parties operating the cloud and they should agree on data security certifications or independent third party audits. Cloud providers should offer different options for security levels and data processing locations.

Finally, one should keep in mind that the paper is a statement of the data protection authority of one of the 16 Federal States [Bundesländer] in Germany. It has supervision only over cloud users established in the territory of Schleswig-Holstein. However, in the past, the authority has already taken a leading role in the joint meetings of all German data protection authorities, so that other authorities might follow the view of the DPA.

How the New EU Rules on Data Export Affect Companies in and Outside the EU

admin — Fri, 26 Mar 2010 15:36:18 +0000

by Dr. Thomas Helbing

On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.

Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.

The EU Commission decision is relevant for all organization receiving personal data - for example customer or employee data - from subsidiaries, customers or vendors in the EU.

In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.

In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.

UPDATE: In July 2010, the Article 29 Working Party has published a FAQ-Document clarifying certain questions in relation to the use of the new clauses.

Example "CRM": CRM-Ready Inc. is a US-based company providing a Customer Relationship Management software that clients use remotely via a web browser (Software as a Service - SaaS). Best-Resell GmbH in the EU intends to use CRM-Ready's system to store and manage its customer data. CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU standard contractual clauses to ensure Best-Resell's compliance with local privacy laws.

Example "HR-Data": Global Workers Ltd. is a multi-national company headquartered in Japan with subsidiaries in various EU countries. Names, functions and phone numbers of all employees are stored centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU subsidiaries and Global Workers Ltd. agree on the EU standard contractual clauses to ensure the lawfulness of the intra-group data transfers under EU laws.

In this article we answer the following questions:
• What is the Concept behind Standard Contractual Clauses?
• What are the Changes to the Standard Contractual Clauses?
• How Does the New Subcontracting Scheme of the Clauses Work in Practice?
• When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?
• How Do the Clauses Affect Companies Outside the EU?

A. What is the Concept behind Standard Contractual Clauses?

If you are familiar with the concept of standard contractual clauses you can skip this section.

1. Ensuring an "Adequate Level of Data Protection"

A company established in the EU may transfer or make accessible personal data to a company outside the EU only if an "adequate level" of data protection is ensured at the recipient. In the terminology of the EU Data Protection Directive 95/46/EC (Directive) the company in EU is then referred to as "Data Exporter", the company receiving the Personal Data as "Data Importer".

The requirement of an adequate level of data protection also applies to intra-group transfers, i.e. if the Data Exporter and Data Importer belong to the same group of companies. A data transfer in the meaning of the EU Directive also takes place if the Data Importer has access to personal data of entities established in the EU, for example access to servers controlled by EU subsidiaries. Further, the term "Personal Data" is understood very broad and includes any information on individuals, e.g. business contact details, employee telephone directories or customer lists.

If the Data Exporter and Data Importer enter into a contract that include the EU standard contractual clauses, the Data Importer is considered to provide an adequate level of data protection. The standard contractual clauses set forth rights and obligations in relation to the handling of personal data. They may not be altered but accompanied by commercial terms (e.g. an underlying service agreement). There are two annexes to the standard contractual clauses to be completed by the parties. They contain details on the parties, the transferred data, the data processing and the technical and organizational security measures to be implemented by the Data Importer.

The obligation to ensure an adequate level of data protection is laid down in article 25 para. 1 of the Directive. The Directive is not addressed to individuals or entities but obliges the EU member states to adopt respective national legislation.

While the wording of the standard contractual clauses are the same throughout the EU, member states have taken different approaches as to the formal requirements: In some EU jurisdictions it suffices to merely enter into a contract with the standard contractual clauses, others require the use of the clauses to be notified to their national data protection authority (DPA) or even to be approval by the authority in advance. Also, local law requirements in relation to the security requirements to be implemented by data processor vary considerably.

For the following jurisdictions the EU Commission has determined that they already ensure an "adequate level" of data protection, so that Data Importers in these countries do not need to enter into respective agreements: Switzerland, Canada, Argentina, Guernsey, the Isle of Man and Jersey.

2. Controllers-Controller and Controller-Processor Transfers

The EU Commission has adopted four different sets of standard contractual clauses. To select the right set, the role of the Data Importer must be analyzed: Data Importers can act as "Data Controllers" or "Data Processors".

The Data Importer takes the role of a Data Processor if it processes and uses the data solely on behalf of and in accordance with the instructions of the Data Exporter. Providers of Cloud Computing or Software as a Service (SaaS) models are usually Data Processors. In contrast, if the Data Importer has the power to determine for which purposes it uses the data or to decide on the substantial means of the data processing (e.g. length of storage or access rights by third parties), then the Data Importer is considered to be a Data Controller.

The distinction between Data Controllers and Data Processors can be difficult and must be made in consideration of the specific factual circumstances of each case. It is even possible that the Data Importer acts as Data Processor in relation to certain information and as a Data Controller in relation to other. The Article 29 Working Party, an independent advisory body on data protection matters at the EU level, has published an opinion on the concept of controllers and processors in February 2010.

If the Data Importer is a Data Controller, one of the two sets for controller-controller transfers must be used. The two sets for controller-controller transfers are alternatively, companies can choose which set of clauses they prefer.

If the Data Importer is a Data Processor, the controller-processor clauses are the right instrument. For controller-processor relationships there is no right to choose between two sets. On 5 February 2010 the EU Commission has adopted a decision that updates the old clauses with effect as of 15 May 2010 (for transition rules, please see below).

3. Alternatives To Standard Contractual Clauses

Standard contractual clauses are one of several means to ensure an "adequate level" of data protection, which is a prerequisite to lawfully export personal data from the EU.

Data Importers established in the United States can join the Safe Harbor Program. Organizations that decide to participate must comply with certain Safe Harbor Principles and publicly declare to do so in a self-certification procedure. The participating organization is then considered to ensure an adequate level of data protection. Safe Harbor certified organizations become subject to the supervision of the US Federal Trade Commission which is often a reason for companies to abstain from a participation.

Another instrument to ensure an adequate level of data protection are Binding Corporate Rules (BCR). BCR are a kind of group-wide company privacy policy that must fulfill a couple of requirements set forth by the EU Commission. The BCR must be shown to have legally binding effect both internally between the group companies, employees and subcontractors and externally for the benefit of individuals. All companies belonging to the group are then considered to ensure an adequate level of data protection. Accordingly, BCR only apply to intra-group data transfers, but not to transfers to entities outside the group. Also, despite of some simplifications in the close past, the implementation of BCR is still a time consuming task causing considerable administrative burden.

4. Important Compliance Requirement to EU Companies

Ensuring an adequate level of data protection is an essential compliance requirement for companies in the EU. For example, in Germany, failure to comply with this requirement can result in administrative fines of up to 300,000 Euro. Also, under German law, most companies are obliged to appoint an in-house data protection officer who directly reports to the management and is in charge of the company's compliance with data protection requirements. Data protection officers will not accept an agreement with a data processor outside the EU, if an adequate level of data protection has not been ensured.

Standard contractual clauses should not be considered as a mere "formality". The parties must be aware that the clauses contain a couple of serious provisions on liability and third party beneficiary rights. In addition, the underlying service contract should be reviewed in light of the accompanying standard contractual clauses. For example, clauses on subcontracting or liability limitations in the service contract could be construed as an amendment to the standard contractual clauses that destroy their effect.

Companies outside the EU targeting customers in Europe should be familiar with the EU data export regulations and the concept of standard contractual clauses. From a compliance and marketing perspective it is advisable to have available standard terms and conditions that already take into account the EU requirements. This demonstrates to prospects that the provider is taking serious data protection and willing to co-operate in fulfilling them.

B. What are the Changes to the Standard Contractual Clauses?

The major change in the new standard contractual clauses for controller-processor transfers (Clauses) is that they now allow Data Importers outside the EU to "subcontract" the data processing fully or in parts to third-parties (Sub-Processors). The term subcontracting is understood broad: Whenever a third party has access to the data it can be a Sub-Processor. The old clauses did not explicitly allow sub-processing although subcontracting and outsourcing is reality in a global IT landscape for quite a time.

Example "CRM": CRM-Ready Inc., our US-based company providing a CRM software to its customer in Germany via the internet uses a third party vendor to administer and maintain databases. Also, servers are co-located in a data center that offers immediate exchange of defective hardware. Both, the company providing database administrations and hardware exchange services are Sub-Processors of CRM-Ready Inc..

Example "HR-Data": Global Workers Ltd., our multi-national company headquartered in Japan, uses a third party Enterprise Resource Planning (ERP) software that stores names, functions and qualifications of all employees, including those employed with EU subsidiaries. If the ERP software provider can access the data (e.g. in the course of maintenance services) it is considered a Sub-Processor of Global Workers Ltd under EU law.

The new set of standard contractual clauses provides for in clause 11 that the Data Importer may subcontract the data processing if two conditions are met:
1. Consent: The Data Exporter has given prior written consent to the subcontracting.
2. Imposition of Terms: The Data Importer imposes on the Sub-Processor by written agreement the same obligations as are imposed on the Data Importer under the standard contractual clauses.

Another change in the standard contractual clauses is that the new terms have no arbitration clause. In the old version, the Data Importer had to agree that certain disputes with data subjects were permitted to be resolved by arbitration, this option has been deleted.

C. How Does the New Subcontracting Scheme Work in Practice?

Data Importers outside the EU that have entered into the new standard contractual clauses must ensure that the two requirements, consent and imposition of terms, are fulfilled with regard to any Sub-Processor that gets access to the personal data.

1. Consent

Consent to sub-contracting should be given in a document separated from the agreement that contains the standard contractual clauses, so that changes in the list of Sub-Processors do not affect the agreement which might have been notified or approved by local data protection authorities.

Usually, the Data Exporters will consent to the subcontracting of certain data processing tasks (e.g. server maintenance, data storage, database administration) to a Sub-Processor that is identified by company name and address. However, to achieve more flexibility and to avoid asking for new consents whenever a Sub-Processor changes or is added, Data Importers may wish to obtain a broader consent, e.g. to subcontract to any affiliated company.

If Data Exporters are concerned about the lawfulness of such general consents under the standard contractual clauses, it can be argued that the level of data protection is not negatively affected because the Data Importer has to impose the terms of the standard contractual clauses to each Sub-Processor. In addition, the Data Importer will be informed by the Data Exporter about any Sub-Processor according to clause 5 lit. (j) of the Clauses. By this, it is ensured that the Data Exporter has full knowledge about any company receiving the data, even if a broad consent for sub-processing is given.

Alternatively, the parties could agree that the Data Importer shall notify the Data Exporter about his intent to use a certain Sub-Processor and that the consent of the Data Exporter shall be deemed given if the Data Exporter does not object within a agreed period of time.

2. Imposition of Terms

As to the second requirement for sub-processing - the imposition of the standard contractual clauses on the Sub-Processor - a footnote in the EU Commission's decision explains that this may be satisfied by the Sub-Processor co-signing the contract entered into between the Data Exporter and Data Importer. While this appears to be a practical and simple procedure at first glace, the co-signature has a couple of disadvantages:

First, if the Sub-Contractor simply co-signs the agreement between the Data Exporter and the Data Importer, it remains unclear to which extent the Annexes shall apply to the Sub-Processor. The Annexes contain specific information about the transferred data, the processing purposes and means and the security measures to be taken by the Data Importer. In many cases, the Data Importer does not subcontract the entire data processing but only parts of it. In such cases the provisions in the Annexes are likely inappropriate for the relationship between the Data Importer and the Sub-Processor.

Second, the co-signature of contracts with standard contractual clauses can be a burdensome task for Sub-Processors. In our example of CRM-Ready Inc. providing a CRM-Software as a Service, the Sub-Processors had to sign each single contract of CRM-Ready Inc. with customers in the EU. If the Sub-Processors are using Sub-Processors themselves - a mechanism that the EU Directive expressly allows - those Sub-Sub-Processors had to co-sign the agreements as well; the list of co-signatures would soon exceed the actual terms. In addition, CRM-Ready Inc. would disclose to its Sub-Processors the existence of business relationships with its EU customers.

Third, the co-signature makes it more difficult for the Sub-Processor to understand its legal obligations and the impact of the clauses, since it has to pick out of the standard contractual clauses the provisions relevant to Sub-Processors.

Fourth, a co-signature could be construed in a way that the Sub-Processor is not only obliged vis-à-vis his contractual partner, the Data Importer, but also directly vis-à-vis the Data Exporter with whom he has no business relationship.

For these reasons it appears preferable for the Data Importer and Sub-Processor to enter into a separate agreement that impose the relevant terms on the Sub-Processor (to obtain a checklist for such agreement, please contact me). Such an agreement can be tailored to the underlying service agreement between the Data Importer and Sub-Processor. Since the Data Importer is obliged to provide the sub-processing agreement to the Data Exporter (clause 5 lit (j) of the Clauses) and upon request partly to data subjects (clause 5 lit (g) of the Clauses), the agreement should be formally separated from the underlying service contract to avoid disclosure of commercial terms.

To ease the administrative burden of providing sub-processing agreements to the Data Exporter, the Data Importer and Data Exporter can agree on an simplified mechanism: The Data Exporter could make available electronic copies of sub-processing agreements online on a secured server and notify the Data Exporter regularly on changes. This mechanism would also support the Data Importer in fulfilling its obligation under the Clauses to keep an annually updated list of sub-processing agreements (clause 11 para. (4) of the Clauses).

D. When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?

The decision of the EU commission updating the set of standard contractual clauses for controller-processor transfers applies from 15 May 2010. The old version of the clauses is repealed with effect from the same date.

Agreements that are entered into after 15 May 2010 must accordingly use the new clauses. In contrast to the two sets of standard contractual clauses for controller-controller transfers, there is no right of choice.

For agreements that have been concluded prior to 15 May 2010 with the old version of the standard contractual clauses, the EU Commission decision contains a transitional rule: Old agreements remain in force and effect if and as long as two requirements are met:

The data transfer and processing operations that are subject matter of the contract remain unchanged, and
Personal data continues to be transferred to the Data Importer.

In addition to this rule, if the Data Importer decides to subcontract parts of the data processing, the new set of clauses must be used. This, of course, also applies if the Data Importer is already using subcontractors for the data processing.

Example "Changed Data Processing": Under an agreement that has been entered into prior to 15 May 2010 with the old set of clauses
* new types of data are transferred (in addition to customer data, the Data Importer also receives vendor data)
* additional data fields are transferred (in addition to names and contact details of employees information on qualifications are transferred)
* data is used for other or further purposes (e.g. instead of a mere customer data management the Data Importer is supposed to analyze customer data and create customer profiles)

Example "Discontinued Data Processing": The parties have entered into a framework agreement under which individual orders are made, e.g. batches of address data are transferred and then used by the Data Importer for mailings or surveys. Since there is no continuous data transfer, the parties have to use new clauses for orders made after 15 May 2010.

E. How Do the New Clauses Affect Companies Outside the EU?

1. Data Importers

Organizations outside the EU receiving personal data from companies in the EU are required to ensure an adequate level of data protection. Often this is facilitated by the conclusion of standard contractual clauses. Companies who have entered into such agreements based on the old set of standard contractual clauses may need to update the agreements and switch to the new clauses if the data processing is discontinued or changes after 15 May 2010 or data is made available by the Data Importer to Sub-Processors.

Data Importers who use Sub-Processors have to ensure that this happens in line with the subcontracting scheme of the Clauses, i.e. the Data Exporter must have consented and the terms of the standard contractual clauses must be imposed on the Sub-Processor.

In addition, Data Importers using Sub-Processors under the standard contractual clauses should be aware that they are responsible for the data processing of the Sub-Processor vis-à-vis the Data Exporter (clause 5 lit. (i)) and the data subjects (clause 11 para. (1) sentence 3) and have to send a copy of any agreement with a Sub-Processor to the Data Exporter (clause 5 (j)).

2. Effect on Sub-Processors

With the introduction of the new set of standard contractual clauses more and more Data Importers will approach their Sub-Processors in order to ensure compliance with the subcontracting mechanism of the Clauses. In particular, Sub-Processors will be asked to contractually agree on the terms of the standard contractual clauses. For the reasons stated above, it should be considered to make a separate agreement with the Data Importer for this purpose rather than co-signing the standard contractual clauses entered into between the Data Exporter and the Data Importer.

In addition, Sub-Processors should take into consideration the following implications of the standard contractual clauses:

Sub-Processors have to agree to third-party beneficiary rights for cases where the data subject is not able to bring compensation claims against the Data Importer for damages caused by data breaches of the Sub-Processor (clauses 11 para. 2, clause 6 para. (1) of the Clauses).

If the Sub-Processor itself is making available personal data to other companies, it must obtain the consent from the Data Importer and impose the terms of the standard contractual clauses on the data recipient. The Sub-Processor becomes responsible for the Data Processing by its own sub-contractors and must send a copy of the Sub-Processing-Agreement to the Data Importer.

According to clause 8 (2), the Sub-Processor has to agree that the supervisory authority of the country where the Data Exporter is located has the right to conduct audits at the Sub-Processor. These audits are subject to the conditions that would apply to an audit of the Data Exporter under the Data Exporter's local law.

On the termination of the Sub-Processing agreement, the Sub-Processor has to return and destroy all data received from the Data Exporter. This must be certified to the Data Exporter (clause 12 para. (1)).

If you have questions around the new EU model clauses, EU data protection regulations in general or its contractual implications, please contact us. We will also be happy to send you our free checklist for a Sub-Processing agreement that complies with the new EU rules.

CloudSlam 2010 - Presentation "Data Protection and Cloud Computing"

admin — Wed, 24 Mar 2010 22:51:12 +0000

This post contains suplementary information to Thomas Helbing's presentation "Data Protection Law Requirements to Cloud Computing Agreements in the European Union" of 24 March 2010 at the CloudSlam 2010 Conference.

You can download the slides here (PDF - 1,26 MB)

To get access to the full video of the presentation please contact me.

The presentation gives an overview over the requirements of the EU Data Protection Directive for cloud computing services with examples from national laws, in particular Germany. No legal background knowledge is required.

Links:

Slide 3e "Data Export to Third Countries - Binding Corporate Rules"

Amended German Data Protection Law Requires New Agreements with Data Processors

admin — Tue, 02 Feb 2010 18:54:00 +0000

The amended German data protection law obliges parties to data processing agreements to include into their contracts clauses on breach notifications, audit rights, subcontracting and a couple of other aspects.

Nonconforming contracts can trigger administrative fines of up to € 50,000. Agreements already in place should be reviewed and policies implemented to ensure the compliance of future contracts.

Which contractual relationships are affected?

Any agreement under which a third-party is storing, using or otherwise processing personal data for your company must meet the new requirements, in particular if entered into, renewed or amended after 1 September 2009. These so called controller-processor relationships [Auftragsdatenverarbeitungs-Verhältnisse] exist if a service provider is processing personal data for and on behalf of your company or has access to your data.

Personal data means any information that can be linked to an individual, for example shipping addresses or purchase histories of your customers, contact information of business partners or employee data like name, position, curriculum vitae or salary.

The new rules also cover intra-group situations, for example if a parent company is operating a centralized customer database or a human resources information system that stores customer data or employee data of its subsidiaries.

Examples of possibly affected relationships are:

Service agreements with payroll processors or archiving service providers
agreements with call centers or direct marketing service providers (mailings, newsletter delivery, lettershops)
contracts with companies hosting human resources information systems (HRIS) or customer relationship management (CRM) tools
agreements with external auditors or maintenance service providers
other agreements on the provision of IT resources (e.g. application service providing, cloud computing, software as a service, website hosting, online storage).

These controller-processor relationships have to be distinguished from situations in which a company has not merely outsourced the data processing but an entire function (e.g. the customer care department). These cases are referred to as controller-controller relationships [Funktionsübertragungen] and subject to different and even stricter data protection regulations. The distinction between controller-processor and controller-controller relationships is difficult and must be made on a case-by-case analysis.

What does the new law require?

The old law, in force until 31 August 2009, already contained basic requirements for controller-processor agreements. These have now been extended and detailed.

Since 1 September 2009 parties must set forth in a written agreement, in particular:

The scope of the personal data processed by the provider and the way in and the purpose for which data is collected, used and processed by the processor
the controller's rights to give instructions to the data processor
technical and organizational measures to be implemented by the processor to ensure data security
correction, deletion and locking of data by the data processor
processor's right to subcontract or outsource parts of the processing
processor's obligations to appoint a data protection officer and to oblige its employees in writing on the data secrecy
audit rights of the controller
processor's data breach notification obligations, and
the procedure of return and deletion of data at the end of the contract.

The controller is fully responsible for the lawfulness of the data processing by the processor and compliance with these mandatory contractual provisions. Also, the German Federal Data Protection Act [Bundesdatenschutzgesetz] expressly states that controllers must diligently select processors taking into account the technical and organizational security measures implemented by the controller. Controllers must also audit processors regularly and record the results.

If the data processor is established outside the European Economic Area (EEA) additional measures have to be met in order to ensure an "adequate level of data protection" at the processor. To accomplish this, many companies use the "EU model clauses for the transfer of personal data to processors established in third countries". Unfortunately, these model clauses do not fully cover the new strict requirements of the German law. For example, the model clauses contain only vague data breach notification obligations. Therefore, if data processors outside the EEA process business critical data, the model clauses should be accompanied by additional contractual provisions.

What are possible sanctions and how likely are they?

Data protection authorities can impose administrative fines of up to € 50,000 on companies having insufficient controller processor agreements. In case of a data breach at the data processor the data controller can become subject to damage claims of concerned individuals. Further, data protection officers negligently failing to implement the new rules could become liable vis-à-vis their company.

Controller processor agreements are usually not audited by Data Protection Authorities without reason, but upon a complaint by an individual, authorities start investigations and in this course can ask companies to provide applicable agreements. Investigations can also be initiated in case of a data breach. Since the German legislator has recently introduced breach notification obligations, privacy violations are more likely to come to the attention of authorities.

What steps do you recommend? How can you help?

Short term:

Identify all situations where your company is data controller in a controller-processor relationship and rank these relationships using the following criteria: (i) amount of data (ii) sensibility of the data (iii) business relevance of the data, and (iv) status of the processor (group company, establishment within or outside the EEA, results of prior audits).
Review business critical agreements and amend where necessary.

Mid-Term:

Implementation of internal policies, templates and checklists to ensure that future agreements are compliant.
Implement procedures to regularly audit processors.
Update old agreements stepwise (e.g. upon contract renewals).

We can offer support in reviewing existing agreements, drafting and negotiating necessary amendments and ensuring compliance of future contracts by drafting policies and checklists for your internal use.

Please contact us for further information or to obtain our free sample policy and checklist.