On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

The DPA stated in the press release that the data processing agreement did not contain sufficient information regarding the technical and organizational measures to protect the personal data. The press release noted that the agreement was not specific enough and merely repeated provisions mandated by law.

According to the German Federal Data Protection Act, data controllers must impose detailed data security measures on data processors in data processing agreements. The text of a data processing agreement must enable the data controller to assess whether or not the data processor is able to ensure the protection and security of the personal data.

According to the DPA, the law provides some flexibility for companies to determine which contractual obligations are appropriate for a particular engagement. The DPA stated that this choice may depend on the data security plan of the data processor and related data processing systems used. In all data processing agreements, however, the following controls must be specified: (1) physical admission control, (2) virtual access control, (3) access control, (4) transmission control, (5) input control, (6) assignment control, (7) availability control and (8) separation control.