Commissioned processing under German data protection law

Data processing takes place when a data controller employs a data processor to process personal data on behalf of a data controller (Auftragsdatenverarbeitung (ADV)). The German BDSG regulates states that the data controller remains responsible for the compliance of the data protection provisions even where a data processor is employed.

§11 BDSG data processor

The provision in § 11 (1) BDSG states that the contractually non-excludable rights of the data subject as well as possible claims for damages against the respective data controller, from which personal data originates, must remain applicable. It is therefore in the interest of the data controller that the data processor implements and complies with the data protection provisions.

The data processor is however subject to the privilege of § 3 (8) BDSG: Generally, the data processing process needs a legal authorization (a statutory basis) or a consent of the data subject.

This requirement is omitted for a processor, because the processing office does not “transmit” as a “third party” as by § 3 (4) no. 3 BDSG, but instead is seen as a legal entity with the data processor.

The privilege is applicable as per § 3 (8) BDSG only within the European Union (EU) or European Economic Area (EEA). Outside this area, the two-step verification regarding assessing an adequate data protection level with respect to potential third countries applies again (for this, see “Data transfer”).

Obligations of the client and contractor (§ 11 BDSG)

The data controller is responsible for careful selection of the data processor, whose suitability must be examined. The data controller must provide the technical and organizational means to comply with the data protection requirements and standards of the company. The data processor is responsible to verify that the measures are being implemented within the processor’s company before data processing begins and repeat this process at regular intervals. The compliance with these obligations must be verifiable and should therefore be documented. (§ 11 (2) BDSG)

The data processor is not the main responsible authority. Therefore, as per § 11 (3) BDSG, he must obey the instructions of the data controller, as long as these is in compliance data protection law. In the above-mentioned case, the data controller is to be informed immediately of any violation, cf. § 11 (3) BDSG. According to § 11 (4) BDSG, other significant provisions of data protection must be implemented independently. Especially, the contractual data processor has to respect data secrecy according to § 5 BDSG and ensure the implementation of the organizational and technical measures to ensure data protection (§ 9 BDSG). If the data processor violates the element of an offence as mentioned in §§ 43, 44 BDSG, he can also be made liable to pay a fine on the basis of an administrative offense or can be subject to prosecution.

ADV contract (pre-conditions)

With regard to the responsibility of the data controller, a data processing contract needs to be concluded. § 11 (2) BDSG provides a list of pre-conditions to create such contract. This requirement catalog is not conclusive and must be adapted to the individual case.

As minimum requirements, the following points must be determined within the contract:

  1. the object and duration of the contract,
  2. the extent, type and purpose of the data processing procedure and the corresponding phases (principle of intended use!), the type of personal data and the kind of data subjects,
  3. the organizational and technical measures according to § 9 BDSG,
  4. the rectification, blocking and deletion of data,
  5. the data processor’s obligations regulated in §11 (4) BDSG (see above)
  6. the right to establish sub-contractual relations
  7. the control rights of the data controller and data processor’s obligations to acquiescent and cooperate
  8. breaches against data protection regulations or contractual agreements committed by the
  9. the extent of the authority of the data controller to instruct the data processor,
  10. the return of delivered data carriers and the deletion of data stored by the data processor after the contract ends

The contract must be in writing.

Even in case of service providers, who only incidentally interact with personal data, the principles for data processors can be applicable in individual cases.

For the individual steps in contractual data processing, we provide you Instructions with corresponding samples and templates for initial inspection and for the ADV contract.