In cases where personal data is not processed by the controller directly, but rather by service providers which are engaged by the controller, such as e.g. web hosting providers or Cloud operators, a so-called processing arrangement exists from the viewpoint of data protection law. Practical examples of such arrangements are web hosting and Cloud computing services, as well as software-as-a-service (SaaS). From the viewpoint of data protection law, processing may only be performed by a third-party processor if the processing is governed by a data processing agreement. In practice, however, it has become evident again and again that even large service providers find it difficult to provide a data processing agreement which meets the GDPR’s requirements. Accordingly, several German data protection authorities have launched a coördinated investigation into the model contracts used by selected major web hosting providers. The authorities have also published a checklist for the examination of data processing agreements which features their consensus legal opinion with regard to the requirements for validity and is therefore of value even outside the current proceedings.
The checklist: classification and content
In terms of its content, the checklist specifies when the statutory requirements for data processing agreements are met from the viewpoint of the data protection authorities and when they aren’t. By no means should it be construed as binding guidelines for the formulation of data processing agreements, but rather as the legal opinion of the participating authorities. Nevertheless, there is no question that the checklist will be used by the data protection authorities as a standard of review and that both controllers and processors can avoid legal conflicts with the authorities if they implement and satisfy the requirements, particularly in light of the fact that German data protection authorities are extremely fond of document examinations.
The checklist also contains statements by the data protection authorities e.g. with regard to the following relevant aspects, which have repeatedly occupied companies when drawing up their data processing agreements:
- The processing activity must be clearly defined. However, the checklist clarifies that specification of the type of processing is not necessarily required as long as the subject and purpose of processing are sufficiently defined.
- Confidentiality obligations must not be overly strict; in particular, they must allow for the disclosure of information to supervisory authorities and data subjects. Otherwise, controllers would be unable to meet their documentation requirements..
- When the processing period is over, the controller may choose whether to delete the processed data or return it. In the authorities’ view, this choice may not be delegated to the processor. However, processors should be able to make preliminary decisions in cases where the controller has not communicated its choice by the time the processing performances have concluded. But even in this case, the controller’s right to choose must be preserved, including the possibility of subsequent changes to stipulations made in the data processing agreement.
- Finally, the controller’s extensive right of control over the data may not be restricted except within very narrow limits. Restrictions should only be allowed insofar as they prevent abuse of the right of control. This is often a serious problem in practice, since exercise of the right of control, e.g. in data centers, can have a negative impact on cybersecurity.
It is to be expected that the published checklist will assume considerable importance in the future for the review of data processing agreements by the data protection authorities and that it will be taken into account even by authorities which are not participating in the current investigations. Controllers and processors should therefore consult the checklist in drawing up and reviewing their data processing agreements in order to minimize the risk of supervisory measures and penalties. This applies not only for new agreements but for existing agreements as well, in which case it may be advisable to seek a revision of the agreement. Berlin’s data protection authority has declared as follows in this regard: “We encourage all IT service providers to conduct an independent review of their standard contracts and adjust them in order to conform with legal requirements. After all, severe fines may be imposed not only against controllers who use IT service providers without a proper processing contract in place, but against the IT service providers themselves as well.”back