Artikel teilen:
Situation:
John has an online platform for car leasing. His customers (individuals) file their leasing applications. John processes the applications on a server he rented from Mr. Processor, a professional server provider. The question is whether there is a special contract necessary between John and Mr Processor to ensure that John complies with data privacy when processing the customer data with Mr Processor´s server?
Legal consequences:
For the purposes of this note we refer to the General Data Protection Regulation (the Regulation) (EC 2016/679 of 27 April 2016), which is currently not yet in force but will apply starting 25 May 2018
(English version of the Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=DE;
German version of the Regulation: http://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016R0679&from=DE).
Article 28 of Regulation determines that where processing of data is to be carried out on behalf of a controller, the controller shall use only processors which can guarantee sufficiently compliance with the Regulation, ensuring the protection of the rights of the data subject.
This means that John may only engage a server provider which can sufficiently guarantee that the processing of data occurs in according to the Regulation. If the provider does not comply with this standard, John will be held accountable for violating the Regulation because he has breached his obligation to having engaged only a server provider which can sufficiently guarantee compliance with the Regulation.
This obligation to sufficiently guarantee compliance with the Regulation is described in more detail in Article 28 of the Regulation, which we summarise as following:
● no sub-contracting of processor without prior specific or general written authorisation of the controller;
● processing of data only in accordance with instructions from the controller (this applies also to transfer of data to third countries);
● persons authorised to process the personal data have committed themselves, or are submitted by law, to confidentiality obligations;
● processor takes all measures required pursuant to Article 32, i.e. (a) the pseudonymisation and encryption of personal data, (b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing (e.g. by using an approved certification mechanism);
● assisting controller to respond to requests for exercising the data subject’s rights laid down in Chapter III (subject to feasibility), which are transparent communication, providing access to information and data, rectification and erasure of data;
● assists the controller in ensuring compliance with the security of the processing, notification of personal data breaches to supervisory authority and to the data subject, (see Articles 32 to 36 of the Regulation) taking into account the nature of processing and the information available to the processor;
● at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
● making available to the controller all information necessary to demonstrate compliance with the obligations under Article 28 and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
We note that the contract between controller and processor shall be in writing, including in electronic form. This means that either hard copies are signed and sent as original by the processor to the controller and the controller returns a countersigned copy as original to the processor or, if signed in electronic form, to be on the safe side, with eSignature (there is currently some debate among the legal scholars what “electronic form” means).
We further note that Article 28 of the Regulation does not only apply to any server provider but may also apply to the providers of any analytic tools, such as Google Analytics, Piwik, etc. Hence a platform operator who uses analytic tools to understand their customers better may need to enter into a contract also with the provider of analytic tools (beyond the further query, whether the assessment of data with the help of analytic tools is at all in compliance with the regulation). Equally the Controller who is using the platform as processor for some of its information would have to be informed appropriately on the analytic tools and would have to approve them as well.
Each of the controller and the processor must document their processing activities appropriately as set out in Article 30 of the Regulation.
The controller must record the following information (Article 30 para. 1):
” name and contact details of the controller
” the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
” recipients to whom the personal data will be disclosed;
” transfers of personal data to a third country or an international organisation;
” time limits for erasure of the different categories of data;
” general description of the technical and organisational security measures referred to in Article 32(1) (see above the fourth bullet point of the enumeration relating to Article 28).
The processor must record of the following information:
” name and contact details of the processor
” the categories of processing carried out on behalf of each controller;
” transfers of personal data to a third country or an international organisation;
” general description of the technical and organisational security measures referred to in Article 32(1) (see above the fourth bullet point of the enumeration relating to Article 28).
The record shall be in writing, including in electronic form (see above on the electronic form). The controller or the processor shall make the record available to the supervisory authority on request.
Sample contracts and checklists.
There are a number of model contracts between processor and controller in the internet available.
Health Warnings:
1. Please note that the links hereafter refer in most cases to the Regulation, but in some cases also to existing data privacy law.
2. When using the sample contracts please bear in mind that the Regulation does not yet apply and the existing data privacy law is still relevant until 25 May 2018.
3. Generally speaking the Regulation is stricter than existing data privacy law. So by using a sample already referring to the Regulation should also comply with existing data privacy law.
4. Finally, data privacy law is pretty complex. So recommendation is to get the assistance of an expert, because otherwise you might get it wrong.
We attach the following links:
For sample contracts :
RDV- Recht der Datenverarbeitung https://www.rdv-online.com/):
Standard contract in German and English language (provided by GDD – Gesellschaft für Datenschutz und Datensicherheit e.V.): https://www.rdv-online.com/news/gdd-mustervertrag-zur-auftragsverarbeitung-nach-art.-28-ds-gvo-auf-englisch-verfuegbar
Bitkom (http://www.bitkom.org):
Standard contract in German and English Version (Zip-file):
https://www.bitkom.org/Bitkom/Publikationen/Aktualisierte-Mustervertragsanlage-zur-Auftragsdatenverarbeitung.html
Datenschutzbeauftragter (https://www.datenschutzbeauftragter-info.de/):
The below article is in German, containing a legal assessment of the use of google analytics and a link to a standard contract for processing of information by google analytics:
https://www.datenschutzbeauftragter-info.de/fachbeitraege/google-analytics-datenschutzkonform-einsetzen/
DLA Piper (pdf in English language):
https://www.dlapiper.com/~/media/Files/…/example_data_protection_addendum.doc
For checklists:
Relating to Bundesdatenschutzgesetz (German Federal Data Protection Act)
https://www.datenschutz-bayern.de/technik/orient/oh_auftragsverarbeitung.pdf (very detailed)
Detailed comprehensive checklist from Information Commissioner’s Office (UK authority) (https://ico.org.uk/):
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
This article will be integrated into one of our templates (e.g.DSGVO (= Data Protection Ground Regulation) which can be downloaded on our platform and form the basis you’re your workflow processes (please join us for free to check out the templates).
If you are interested to contribute with an article to this blog we may include this article as well into our templates and feature you as the author of the content. You may also create a template and propose to us that this is included in the collection of templates we have available for download and become featured as author of such template.
Both alternatives give you the possibility to get known to the users of the relevant templates. Please kindly send your article to Oliver.Waldburg@worklean.com and confirm your position, the jurisdiction for which the article is relevant as well as your area of expertise.
Artikel teilen:
Wir schreiben über relevante Themen des E-Commerce und andere Bereiche praxisnah. Spricht Dich das an? Vermisst Du etwas? Wir freuen uns, von dir zu hören und werden es nutzen, um noch besser zu werden.