Outsourced / commissioned data processing
Given the huge commercial importance of out-sourcing and the habitual commissioned data processing that comes with it, business should ensure they are well informed about how commissioned data processing is governed under Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).
Outsourcing shapes a large part of the daily management of many businesses. Whether it is for financial reasons or to benefit from strong know-how, many individual processes and even entire fields of activity are outsourced. Examples include: customer care call centres, commissioning external agencies to lead marketing campaigns; or the use of external payroll accounting. With the increased use of cloud services (SaaS), external technical engineers and external data centres, outsourcing is growing particularly rapidly in the area of IT.
As the outsourcing of commercial activities is often linked with a transfer of customer or employee personal data, businesses must be aware of the rules governing business’ responsibility for the protection of data and the measures that must be taken.
In this context, the legal provisions on commissioned data processing are relevant to many outsourcing situations.
Commissioned data processing
Paragraph 11 of Germany’s Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) governs the circumstances where personal data is collected, processed or used by an agent on behalf of a principal. The principal remains exclusively responsible for the proper and lawful processing of data and for the protection of the rights of those affected.
The result of this regulation is that the agent commissioned to conduct data processing is not themselves considered the responsible entity for complying with data privacy laws, but is seen as “an extended arm” of and part of the principal. In this way, users’ data are protected from third parties shifting responsibility around.
Content of a data processing contract
To ensure that responsibility for data processing is guaranteed and that outsourced data processing is conducted legally, certain requirements must be met.
When selecting an agent, the principal must consider all data privacy aspects and exercise the required due diligence and care.
The data processing activities should be governed by a written contract containing the subject matter referred to in §11(2) BDSG. In addition to provisions detailing the assignment, the contract should also contain clauses detailing the way in which data is to be processed and handled. The agency contract should also include broad supervisory rights and grant authority of the principal over the agent. Furthermore, the contract should also set out the agent’s duty to adopt technical and organisational security measures, including rules on engaging sub-contractors.
Distinguishing a transfer of functions
It should be ensured that the agent processes data in an auxiliary manner, i.e. that the agent can only provide support to the principal and must not be granted any discretion as to the processed data.
If this is not the case, the circumstances do not represent the commissioning of data processing, but the transfer of the function to the agent. The consequence of this is that the agent is considered the responsible entity for ensuring compliance with data protection law.
Transfer to third countries
If data is transferred to entities registered outside the European Union or the European Economic Area, the company that receives the data is considered to be the responsible entity for ensuring compliance with data protection laws (§3(8) BDSG). Outsourced data processing within the meaning of §11 BDSG does not occur.
Outsourcing data processing to entities registered in third countries can only occur if additional data privacy protection measures are taken, including adopting the EU’s Binding Corporate Rules and if necessary, a safe harbour certificate.
Bespoke advice needed
It is clear from the above that the outsourcing of data processing is linked with a range of legal issues that should be considered. Hoards of template contracts are available to help businesses fulfil their data privacy obligations. As these templates often require adaptation and supplementation, it is generally advisable to seek legal assistance or to contact an external data protection commissioner.
Do you have questions about IT law, licences or data protection? We are happy to help!
German lawyer, Christian Solmecke, and his expert team are available to answer your questions.
Call us on 0221 / 951 563 0 (Beratung bundesweit) or use our contact form.