The amended German data protection law obliges parties to data processing agreements to include into their contracts clauses on breach notifications, audit rights, subcontractingand a couple of other aspects.
Nonconforming contracts can trigger administrative fines of up to € 50,000. Agreements already in place should be reviewed and policies implemented to ensure the compliance of future contracts.
Any agreement under which a third-party is storing, using or otherwise processing personal data for your company must meet the new requirements, in particular if entered into, renewed or amended after 1 September 2009. These so called controller-processor relationships [Auftragsdatenverarbeitungs-Verhältnisse] exist if a service provider is processing personal data for and on behalf of your company or has access to your data.
Personal data means any information that can be linked to an individual, for example shipping addresses or purchase histories of your customers, contact information of business partners or employee data like name, position, curriculum vitae or salary.
The new rules also cover intra-group situations, for example if a parent company is operating a centralized customer database or a human resources information system that stores customer data or employee data of its subsidiaries.
Examples of possibly affected relationships are:
These controller-processor relationships have to be distinguished from situations in which a company has not merely outsourced the data processing but an entire function (e.g. the customer care department). These cases are referred to as controller-controller relationships[Funktionsübertragungen] and subject to different and even stricter data protection regulations. The distinction between controller-processor and controller-controller relationships is difficult and must be made on a case-by-case analysis.
The old law, in force until 31 August 2009, already contained basic requirements for controller-processor agreements. These have now been extended and detailed.
Since 1 September 2009 parties must set forth in a written agreement, in particular:
The controller is fully responsible for the lawfulness of the data processing by the processor and compliance with these mandatory contractual provisions. Also, the German Federal Data Protection Act [Bundesdatenschutzgesetz] expressly states that controllers must diligently select processors taking into account the technical and organizational security measures implemented by the controller. Controllers must also audit processors regularly and record the results.
If the data processor is established outside the European Economic Area (EEA)additional measures have to be met in order to ensure an "adequate level of data protection" at the processor. To accomplish this, many companies use the "EU model clauses for the transfer of personal data to processors established in third countries". Unfortunately, these model clauses do not fully cover the new strict requirements of the German law. For example, the model clauses contain only vague data breach notification obligations. Therefore, if data processors outside the EEA process business critical data, the model clauses should be accompanied by additional contractual provisions.
Data protection authorities can impose administrative fines of up to € 50,000 on companies having insufficient controller processor agreements. In case of a data breach at the data processor the data controller can become subject to damage claims of concerned individuals. Further, data protection officers negligently failing to implement the new rules could become liable vis-à-vis their company.
Controller processor agreements are usually not audited by Data Protection Authorities without reason, but upon a complaint by an individual, authorities start investigations and in this course can ask companies to provide applicable agreements. Investigations can also be initiated in case of a data breach. Since the German legislator has recently introduced breach notification obligations, privacy violations are more likely to come to the attention of authorities.
We can offer support in reviewing existing agreements, drafting and negotiating necessary amendments and ensuring compliance of future contracts by drafting policies and checklists for your internal use.
Whitepapers, Templates and Checklists
Implement Data Protection Effectively and Professional