Data pro­tec­tion aut­ho­ri­ties: new check­list for data pro­ces­sing agreements

In cases whe­re per­so­nal data is not pro­ces­sed by the con­trol­ler direct­ly, but rather by  ser­vice pro­vi­ders which are enga­ged by the con­trol­ler,  such as e.g. web hos­ting pro­vi­ders or Cloud ope­ra­tors, a so-called pro­ces­sing arran­ge­ment exists from the view­point of data pro­tec­tion law. Prac­ti­cal examp­les of such arran­ge­ments are web hos­ting and Cloud com­pu­ting ser­vices, as well as software-as-a-service (SaaS). From the view­point of data pro­tec­tion law, pro­ces­sing may only be per­for­med by a third-party pro­ces­sor if the pro­ces­sing is gover­ned by a data pro­ces­sing agree­ment. In prac­ti­ce, howe­ver, it has beco­me evi­dent again and again that even lar­ge ser­vice pro­vi­ders find it dif­fi­cult to pro­vi­de a data pro­ces­sing agree­ment which meets the GDPR’s requi­re­ments. Accord­in­gly, several Ger­man data pro­tec­tion aut­ho­ri­ties have laun­ched a coör­di­na­ted inves­ti­ga­ti­on into the model con­tracts used by selec­ted major web hos­ting pro­vi­ders. The aut­ho­ri­ties have also publis­hed a check­list for the exami­na­ti­on of data pro­ces­sing agree­ments which fea­tures their con­sen­sus legal opi­ni­on with regard to the requi­re­ments for vali­di­ty and is the­re­fo­re of value even out­side the cur­rent proceedings.

The check­list: clas­si­fi­ca­ti­on and content

In terms of its con­tent, the check­list spe­ci­fies when the sta­tu­to­ry requi­re­ments for data pro­ces­sing agree­ments are met from the view­point of the data pro­tec­tion aut­ho­ri­ties and when they aren’t. By no means should it be con­strued as bin­ding gui­de­li­nes for the for­mu­la­ti­on of data pro­ces­sing agree­ments, but rather as the legal opi­ni­on of the par­ti­ci­pa­ting aut­ho­ri­ties. Nevertheless, the­re is no ques­ti­on that the check­list will be used by the data pro­tec­tion aut­ho­ri­ties as a stan­dard of review and that both con­trol­lers and pro­ces­sors can avoid legal con­flicts with the aut­ho­ri­ties if they imple­ment and satisfy the requi­re­ments, par­ti­cu­lar­ly in light of the fact that Ger­man data pro­tec­tion aut­ho­ri­ties are extre­me­ly fond of docu­ment examinations.

The check­list also con­tains state­ments by the data pro­tec­tion aut­ho­ri­ties e.g. with regard to the fol­lowing rele­vant aspects, which have repeated­ly occu­p­ied com­pa­nies when drawing up their data pro­ces­sing agreements:

  • The pro­ces­sing acti­vi­ty must be clear­ly defi­ned. Howe­ver, the check­list cla­ri­fies that  spe­ci­fi­ca­ti­on of the type of pro­ces­sing is not necessa­ri­ly requi­red as long as the sub­ject and pur­po­se of pro­ces­sing are suf­fi­ci­ent­ly defined.
  • Con­fi­den­tia­li­ty obli­ga­ti­ons must not be over­ly strict; in par­ti­cu­lar, they must allow for the dis­clo­sure of infor­ma­ti­on to super­vi­so­ry aut­ho­ri­ties and data sub­jects. Other­wi­se, con­trol­lers would be unab­le to meet their docu­men­ta­ti­on requirements..
  • When the pro­ces­sing peri­od is over, the con­trol­ler may choo­se whe­ther to dele­te the pro­ces­sed data or return it. In the aut­ho­ri­ties’ view, this choice may not be dele­ga­ted to the pro­ces­sor. Howe­ver, pro­ces­sors should be able to make preli­mi­na­ry decisi­ons in cases whe­re the con­trol­ler has not com­mu­ni­ca­ted its choice by the time the pro­ces­sing per­for­man­ces have con­clu­ded. But even in this case, the controller’s right to choo­se must be pre­ser­ved, inclu­ding the pos­si­bi­li­ty of sub­se­quent chan­ges to sti­pu­la­ti­ons made in the data pro­ces­sing agreement.
  • Final­ly, the controller’s exten­si­ve right of con­trol over the data may not be restric­ted except wit­hin very nar­row limits. Restric­tions should only be allo­wed inso­far as they pre­vent abu­se of the right of con­trol. This is often a serious pro­blem in prac­ti­ce, sin­ce exer­cise of the right of con­trol, e.g. in data cen­ters, can have a nega­ti­ve impact on cybersecurity.


It is to be expec­ted that the publis­hed check­list will assu­me con­si­derable impor­t­ance in the future for the review of data pro­ces­sing agree­ments by the data pro­tec­tion aut­ho­ri­ties and that it will be taken into account even by aut­ho­ri­ties which are not par­ti­ci­pa­ting in the cur­rent inves­ti­ga­ti­ons. Con­trol­lers and pro­ces­sors should the­re­fo­re con­sult the check­list in drawing up and reviewing their data pro­ces­sing agree­ments in order to mini­mi­ze the risk of super­vi­so­ry mea­su­res and pen­al­ties. This app­lies not only for new agree­ments but for exis­ting agree­ments as well, in which case it may be advi­s­able to seek a revi­si­on of the agree­ment. Berlin’s data pro­tec­tion aut­ho­ri­ty has decla­red as fol­lows in this regard: “We encou­ra­ge all IT ser­vice pro­vi­ders to con­duct an inde­pen­dent review of their stan­dard con­tracts and adjust them in order to con­form with legal requi­re­ments. After all, seve­re fines may be impo­sed not only against con­trol­lers who use IT ser­vice pro­vi­ders without a pro­per pro­ces­sing con­tract in place, but against the IT ser­vice pro­vi­ders them­sel­ves as well.”


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.