As many market players are aware, German law already provides for specific requirements which apply to the relationship between a controller and a processor and some presume that the GDPR will make little difference to that. However, the GDPR will trigger some important changes.
GDPR and the new role of processors
One focus of the GDPR is placing more emphasis on the role and responsibilities of data processors. Under the GDPR, processors will be subject to new compliance requirements and to sanctions for non-compliance (see our article for more detail). In contrast, under the current regime which was established by an EU Directive dating back to 1995, obligations applied predominantly to controllers, i.e. the entity which determined the purpose and extent of processing and was able to flow down data protection responsibilities.
Status quo in Germany
The present German requirements are often deemed some of the strictest in the EU by businesses. German data protection laws require the controller to enter into a written agreement with any processor. This applies to any transfer of personal data from the controller to a third party that acts under the sole instruction of the controller. Data processor agreements are, however, not only executed with third party service providers. They are also often used for data transfers between group companies because German law does not apply an intra-group privilege in this regard. For example, the provision of shared services which require processing of personal data by a parent company to its subsidiaries is regularly structured as “data processing”.
The required data processor agreements must comply with a number of requirements. These include: defining the scope and extent of processing; imposing security obligations by way of so-called technical and organisational measures on a processor; granting an audit right to the controller in order to enable checking compliance with these obligations; providing for a notification obligation by processors to the controller without undue delay upon becoming aware of a data breach; agreeing upon whether and subject to which requirements the processor may use sub-contractors; and, that the processor shall support the controller for purposes of complying with formal requirements. If that is starting to sound familiar to those outside Germany, it is probably because many of these requirements are now reflected in the GDPR, but that is not to say that the GDPR does not introduce major changes into the controller processor relationship in Germany.
Changes under the GDPR
Contrary to the current set up in Germany, the processor will have more responsibilities under the GDPR. For example, the processor will have to assist the controller in determining which security measures are appropriate. In addition, the processor will need to provide information to the controller necessary for demonstrating compliance and will be required to assist with audits. Aside from that, and in contrast to the rather vague German law requirement on sub-contracting, the GDPR provides for a prior written consent obligation, placing the control over processor sub-contracting firmly with the data controller.
On the plus side, the GDPR will allow for the execution of data processor agreements in electronic form. This means that the existing German requirement to sign in writing will be lifted from 2018. From a practical perspective this will be helpful, especially with regard to cloud computing services.
Furthermore, under the GDPR, the EU Commission could recognise the EC Model Clauses as appropriate data processor agreements for personal data transfers within the EU. To date, these agreements have only been used for transfers to third countries. In Germany, there is another issue with the ‘controller to processor’ set of the EC Model Clauses, namely that the German law requirements for data processor agreements go beyond the scope of the EC Model Clauses. As a result, regulators have asked controllers to cover these additional requirements by adding further clauses or signing additional agreements when transferring personal data to processors located outside the EU. The GDPR could prove useful in reducing paperwork in this regard.
Finally, the GDPR recognises that certification may also be used as means of proving compliance. This is an improvement on the current situation in Germany. Whilst some German regulators are in favour of certification, there is no official German guidance to indicate that they are widely accepted. Applicable certification would allow processors to achieve compliance in a faster, more flexible way.
The way ahead
Data processor agreements will need to be more specific in future both in Germany and beyond and, in particular, concerning the instructions issued by the controller and the security measures to be applied. Whether a complete revision of existing German agreements will be required or whether adding supplementary clauses could suffice remains to be seen. In any case, existing data processor agreements will need to be carefully reviewed by businesses located in Germany.