Data pro­tec­tion aut­ho­ri­ties: new check­list for data pro­ces­sing agreements

In cases whe­re per­so­nal data is not pro­ces­sed by the con­trol­ler direct­ly, but rather by  ser­vice pro­vi­ders which are enga­ged by the con­trol­ler,  such as e.g. web hos­ting pro­vi­ders or Cloud ope­ra­tors, a so-called pro­ces­sing arran­ge­ment exists from the view­point of data pro­tec­tion law. Prac­ti­cal examp­les of such arran­ge­ments are web hos­ting and Cloud com­pu­ting ser­vices, as well as software-as-a-service (SaaS). From the view­point of data pro­tec­tion law, pro­ces­sing may only be per­for­med by a third-party pro­ces­sor if the pro­ces­sing is gover­ned by a data pro­ces­sing agree­ment. In prac­ti­ce, howe­ver, it has beco­me evi­dent again and again that even lar­ge ser­vice pro­vi­ders find it dif­fi­cult to pro­vi­de a data pro­ces­sing agree­ment which meets the GDPR’s requi­re­ments. Accor­din­gly, seve­ral Ger­man data pro­tec­tion aut­ho­ri­ties have laun­ched a coor­di­na­ted inves­ti­ga­ti­on into the model con­tracts used by sel­ec­ted major web hos­ting pro­vi­ders. The aut­ho­ri­ties have also published a check­list for the exami­na­ti­on of data pro­ces­sing agree­ments which fea­tures their con­sen­sus legal opi­ni­on with regard to the requi­re­ments for vali­di­ty and is the­r­e­fo­re of value even out­side the cur­rent proceedings.

The check­list: clas­si­fi­ca­ti­on and content

In terms of its con­tent, the check­list spe­ci­fies when the sta­tu­to­ry requi­re­ments for data pro­ces­sing agree­ments are met from the view­point of the data pro­tec­tion aut­ho­ri­ties and when they are­n’t. By no means should it be con­strued as bin­ding gui­de­lines for the for­mu­la­ti­on of data pro­ces­sing agree­ments, but rather as the legal opi­ni­on of the par­ti­ci­pa­ting aut­ho­ri­ties. Nevert­hel­ess, the­re is no ques­ti­on that the check­list will be used by the data pro­tec­tion aut­ho­ri­ties as a stan­dard of review and that both con­trol­lers and pro­ces­sors can avo­id legal con­flicts with the aut­ho­ri­ties if they imple­ment and satis­fy the requi­re­ments, par­ti­cu­lar­ly in light of the fact that Ger­man data pro­tec­tion aut­ho­ri­ties are extre­me­ly fond of docu­ment examinations.

The check­list also con­ta­ins state­ments by the data pro­tec­tion aut­ho­ri­ties e.g. with regard to the fol­lo­wing rele­vant aspects, which have repea­ted­ly occu­p­ied com­pa­nies when dra­wing up their data pro­ces­sing agreements:

  • The pro­ces­sing acti­vi­ty must be cle­ar­ly defi­ned. Howe­ver, the check­list cla­ri­fies that  spe­ci­fi­ca­ti­on of the type of pro­ces­sing is not neces­s­a­ri­ly requi­red as long as the sub­ject and pur­po­se of pro­ces­sing are suf­fi­ci­ent­ly defined.
  • Con­fi­den­tia­li­ty obli­ga­ti­ons must not be over­ly strict; in par­ti­cu­lar, they must allow for the dis­clo­sure of infor­ma­ti­on to super­vi­so­ry aut­ho­ri­ties and data sub­jects. Other­wi­se, con­trol­lers would be unable to meet their docu­men­ta­ti­on requirements..
  • When the pro­ces­sing peri­od is over, the con­trol­ler may choo­se whe­ther to dele­te the pro­ces­sed data or return it. In the aut­ho­ri­ties’ view, this choice may not be dele­ga­ted to the pro­ces­sor. Howe­ver, pro­ces­sors should be able to make preli­mi­na­ry decis­i­ons in cases whe­re the con­trol­ler has not com­mu­ni­ca­ted its choice by the time the pro­ces­sing per­for­man­ces have con­cluded. But even in this case, the controller’s right to choo­se must be pre­ser­ved, inclu­ding the pos­si­bi­li­ty of sub­se­quent chan­ges to sti­pu­la­ti­ons made in the data pro­ces­sing agreement.
  • Final­ly, the controller’s exten­si­ve right of con­trol over the data may not be rest­ric­ted except within very nar­row limits. Rest­ric­tions should only be allo­wed inso­far as they pre­vent abu­se of the right of con­trol. This is often a serious pro­blem in prac­ti­ce, sin­ce exer­cise of the right of con­trol, e.g. in data cen­ters, can have a nega­ti­ve impact on cybersecurity.


It is to be expec­ted that the published check­list will assu­me con­sidera­ble importance in the future for the review of data pro­ces­sing agree­ments by the data pro­tec­tion aut­ho­ri­ties and that it will be taken into account even by aut­ho­ri­ties which are not par­ti­ci­pa­ting in the cur­rent inves­ti­ga­ti­ons. Con­trol­lers and pro­ces­sors should the­r­e­fo­re con­sult the check­list in dra­wing up and revie­w­ing their data pro­ces­sing agree­ments in order to mini­mi­ze the risk of super­vi­so­ry mea­su­res and pen­al­ties. This appli­es not only for new agree­ments but for exis­ting agree­ments as well, in which case it may be advi­sa­ble to seek a revi­si­on of the agree­ment. Berlin’s data pro­tec­tion aut­ho­ri­ty has declared as fol­lows in this regard: “We encou­ra­ge all IT ser­vice pro­vi­ders to con­duct an inde­pen­dent review of their stan­dard con­tracts and adjust them in order to con­form with legal requi­re­ments. After all, seve­re fines may be impo­sed not only against con­trol­lers who use IT ser­vice pro­vi­ders wit­hout a pro­per pro­ces­sing con­tract in place, but against the IT ser­vice pro­vi­ders them­sel­ves as well.”


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.