On August 20, 2015, the Bavarian Data Protection Authority (DPA) issued a press release stating that it had imposed a significant fine on an organization that engaged in commissioned data processing without first concluding a proper data processing agreement.
Pursuant to section 11 of the German Federal Data Protection Act (BDSG), additional requirements apply if a third party processes personal data on behalf of the data controller. Ultimately, the data controller is responsible for compliance with these requirements. The contract between data controller and processor must be concluded in writing. In particular, it must specify the following:
- The subject and duration of the work to be carried out.
- The extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects.
- The technical and organizational measures to be taken to protect the data.
- The rectification, deletion and blocking of data.
- The processor’s obligations under section 11, paragraph 4 of the BDSG, particularly in relation to monitoring.
- Any right to issue subcontracts.
- The controller’s right to monitor the processor and the processor’s corresponding obligation to co-operate.
- Rules applicable if the processor or its employees violates:
- provisions relating to the protection of personal data; or
- terms specified by the controller, which are subject to the obligation to notify.
- The extent of the controller’s authority to issue instructions to the processor.
- The return of data storage media and the deletion of data recorded by the processor after the work is completed.
The technical and organizational measures which must be taken to protect the data are particularly important. The contract must define these measures in concrete and specific terms. Commissioned data processing that occurs in the absence of these specific provisions is an administrative offense, which can result in a fine of up to EUR 50,000, and in severe cases, EUR 300,000.
In this case, the contract did not define concrete technical and organizational measures to protect the personal data being processed. Instead, the commission agreements contained only a few general statements and repetitions of the legal text.
The Bavarian Data Protection Authority explained that the technical and organizational measures cannot defined using only general terms. The specifics of the contractual provisions must take into account the data security concept of the respective service provider and the particular data processing systems.
Ultimately, this lead the Bavarian Data Protection Authority to impose upon the data controller a five-digit fine. This fine may accrue for each violation of the data protection regulations, meaning each unlawful data transfer. Thus, the total financial penalty may be extremely expensive.
The president of the Bavarian Data Protection Authority specifically recommended that special care be taken when contracting with an external service provider and stated that enforcement of the data protection laws and imposition of the respective fines will continue.