Update Data Protection No. 31
GDPR - Need to adapt existing agreements
The General Data Protection Regulation (GDPR) is also applicable to current processing of personal data. This means that existing agreements on data processing must also be adapted if they do not comply with the requirements of the GDPR.
This will be the case with the majority of agreements on order data processing. However other agreements, for example those concerning the transfer of functions, will have to be examined carefully and adapted where necessary.
Agreements on commissioned data processing
Existing agreements on commissioned data processing are frequently oriented strictly towards Section 11 BDSG that has thus far prescribed the mandatory content of such agreements. In future, the legal basis for agreements on commissioned data processing will be Article 28 GDPR. This also requires the conclusion of a contract, or the use of another binding legal instrument with a specific content. Even if many of the previous contracts include the minimum content prescribed by Art. 28 GDPR, the adaptation of existing contracts is nevertheless advisable - not only for the purpose of correcting the reference to rules of the BDSG (Federal Data Protection Act) that will cease to exist as from May 25, 2018.
Duties to cooperate and to inform
Most models under the current law contain no rules on duties of the processor to cooperate and to inform in the case of measures by official authorities, in particular in the event of proceedings concerning administrative offenses. Providing for such duties is advisable not only from the perspective of the client commissioning data processing, but also from the perspective of the processor. In future the processor will have extended duties, and failure to comply with these can make the processor himself liable to administrative offenses proceedings. It is also advisable to make contractual agreements concerning the documentation, required by both sides, of the respective data protection measures to be complied with. Extensive duties to document will apply not only to the controller in future. With just a few exceptions, each processor will also be required to document all processing relationships in future. Reciprocal duties to support are therefore advisable, and in part indispensable, in order to be able to satisfy the legal requirements. After all, a processor can frequently fulfil certain obligations under the GDPR better and more efficiently than the controller. These include for example the obligation to erase data and guaranteeing the right to be forgotten, the rectification of data, fulfilment of the right to data portability and of rights of access to personal data by data subjects. It may therefore be advisable to implement a system whereby these duties, incumbent on the controller, must be fulfilled by the processor as instructed by the controller.
Technical and organizational measures
The GDPR obliges companies to implement suitable technical and organizational measures to ensure and demonstrate that processing is carried out in accordance with the GDPR. In most cases, existing agreements on commissioned data processing do not include this obligation, and should therefore be supplemented or adapted.
Subcontracting
The GDPR imposes stricter standards on subcontracting agreements. In future, these will require either written authorization on a case-by-case basis or, if the controller has issued general authorization, at least information by the processor including the controller’s right of objection. This too is usually not included in current models.
Liability rules in an internal relationship
A further important point is the future joint liability of controller and processor with respect to data subjects. The agreement on commissioned data processing should specify the liability and adjustment in an internal relationship. Current agreements on commissioned data processing do mostly not include any provisions in this respect.
Joint responsibility
So-called joint responsibility is given if two or more controllers jointly determine the purposes and means for the processing of personal data (Art. 26 (1) Sentence 1 GDPR). If this is the case, the parties are obliged under Art. 26 (1) Sentence 2 GDPR to make an agreement laying down the data protection obligations resulting from their cooperation. Cases that have thus far been regarded as commissioned data processing or were designed as transfer of function, can by all means prove to be cases of joint responsibility given closer scrutiny. If this is the case, the content of existing agreements must be adapted to the requirements of Art. 26 GDPR. If no agreements exist between the parties as yet, they must be concluded.
Essential content that must be contained in agreements between jointly responsible parties is which of the parties is required to fulfil what obligations with respect to the data subjects. Accordingly, agreements must specify who is required to fulfil the claims of the data subjects - e.g. the right of access to personal data - and who will ensure fulfilment of the duties to inform data subjects pursuant to Art. 13 and 14 GDPR.
Summary
As the GDPR creates in part new, in part extended requirements on commissioned data processing and joint responsibility, it is advisable to check existing agreements on the processing of personal data -whether in an order relationship or in a context suggesting joint responsibility - and to adapt these to the legal situation that will apply as from May 25, 2018.