Impact of Covid-19 on pro­ces­sing con­tracts: writ­ten form and pro­hi­bi­ti­on on working from home?

In accordance with the gui­de­lines adopted by the fede­ral and sta­te govern­ments to limit social cont­acts, citi­zens are cal­led upon to redu­ce cont­acts with others to an abso­lu­te mini­mum in order to con­tain the coronavirus. 

In the weeks pri­or to the publi­ca­ti­on of the­se gui­de­lines, many com­pa­nies had alre­a­dy assi­gned their employees to work from home if pos­si­ble. Howe­ver, the decen­tra­liza­ti­on of the work per­for­med by the­se employees rai­ses uni­que prac­ti­cal ques­ti­ons and issues in data pro­tec­tion law.

Spe­ci­fi­cal­ly, it rai­ses the ques­ti­on of how assig­ning employees to work from home can affect the con­clu­si­on and per­for­mance of pro­ces­sing contracts.

Do pro­ces­sing con­tracts have to be signed by hand on paper?

What should be done if employees who are aut­ho­ri­zed to sign for the com­pa­ny are working for home but have no way to print out, sign and return an ori­gi­nal copy of the pro­ces­sing con­tract to the other par­ty? Our view is that the con­tract does not have to be signed by hand. Rather, e.g. an e‑mail exch­an­ge of PDF docu­ments is suf­fi­ci­ent if the par­ties’ intent to be bound by the con­tract and the refe­ren­ced docu­ments are cle­ar­ly evi­dent from the e‑mail correspondence.

In accordance with Artic­le 28(9) of the GDPR, pro­ces­sing con­tracts must be set down in wri­ting, alt­hough this may gene­ral­ly be done in an elec­tro­nic for­mat as well. Howe­ver, it is unclear whe­ther any other spe­ci­fic requi­re­ments can be deri­ved from Artic­le 28(9) of the GDPR with respect to the form of the con­tract. It is neces­sa­ry to con­sider whe­ther con­tracts with pro­ces­sors have to be signed by hand in every case (which would be con­sis­tent with the writ­ten form requi­re­ment in accordance with the Civil Code). Arguing against this view is the fact that Artic­le 28(9) rela­tes to the draf­ting of the con­tract, not to its sig­ning (i.e. its con­clu­si­on). Moreo­ver, an exami­na­ti­on of how the terms “wri­ting” and “elec­tro­nic” are used else­whe­re in the GDPR makes clear that the draf­ters of the Regu­la­ti­on likely did not have in mind a writ­ten form requi­re­ment like the one which we know from Ger­man civil law. For exam­p­le, the clau­se rela­ting to the pro­vi­si­on of infor­ma­ti­on, Artic­le 12(1) of the GDPR, sta­tes that infor­ma­ti­on is to be trans­mit­ted in wri­ting or in ano­ther form, even elec­tro­ni­cal­ly if appro­pria­te. It is gene­ral­ly ack­now­led­ged that the requi­re­ment for pro­vi­si­on “in wri­ting” does not mean that the data pri­va­cy state­ment has to be draf­ted by hand: rather, it may be prin­ted out ins­tead. In the inte­rests of ensu­ring that terms are appli­ed con­sis­t­ent­ly within the GDPR, the same under­stan­ding should app­ly within the bounds of Artic­le 28(9) of the GDPR. This argu­ment is tenable in light of the fact that requi­re­ments for writ­ten form could have more than one pur­po­se, and that in the case of pro­ces­sing con­tracts, law­ma­kers were likely con­cer­ned more with ensu­ring that agree­ments bet­ween the par­ties are docu­men­ted than with war­ning the par­ties against over­hasty con­clu­si­on of the agreement.

This view has been con­firm­ed in prac­ti­ce. In the past, the EU Com­mis­si­on has demons­tra­ted open­ness to various ways in which pro­ces­sing con­tracts can be ente­red into elec­tro­ni­cal­ly. In the view of the Data Pro­tec­tion Aut­ho­ri­ty for the Sta­te of Bava­ria as well, use of a qua­li­fied elec­tro­nic signa­tu­re is not man­da­to­ry, but is rather just one of the pos­si­ble ways in which a con­tract can be ente­red into elec­tro­ni­cal­ly (https://www.lda.bayern.de/media/FAQ_ADV_Formerfordernis.pdf).

Working from home requi­res the controller’s pri­or con­sent. Now what?

In accordance with the model agree­ment on data pro­ces­sing published by the Fede­ral Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on­re­qui­res the controller’s express pri­or con­sent in wri­ting, and such con­sent may be issued only after appro­pria­te tech­ni­cal and orga­niza­tio­nal mea­su­res are defi­ned for the pro­ces­sing situa­ti­on (§ 3(9) of the model agreement).

In recent weeks, many com­pa­nies have reas­si­gned many of their employees to work from home at short noti­ce. In many cases, this includes tho­se enga­ged in pro­ces­sing the controller’s per­so­nal data as employees of the processor.

If the pro­ces­sor is con­trac­tual­ly requi­red to fol­low the abo­ve pro­ce­du­re, the ques­ti­on is rai­sed whe­ther this cour­se of action brea­ches the pro­ces­sing con­tract and, if so, what the con­se­quen­ces are of such a breach.

In accordance with Artic­le 28(10) of the GDPR, acting uni­la­te­ral­ly, e.g. wit­hout the controller’s pri­or con­sent, to reas­sign employees to work from home could trans­form the pro­ces­sor into the con­trol­ler (excess of assi­gned tasks or func­tions). The first ques­ti­on in this regard is whe­ther the pre­sent situa­ti­on is even cover­ed by the home office clau­se of the model agree­ment (i.e. by its mea­ning and pur­po­se). One could argue that the (phy­si­cal) loca­ti­on of the pro­ces­sing is what mat­ters, not the place from whe­re employees can access the data. Accor­din­gly, the clau­se would not be brea­ched if the processor’s employees could access the company’s ser­vers remo­te­ly from home and pro­cess the controller’s data the­re. Howe­ver, this argu­ment will likely be rejec­ted. From the view­point of IT secu­ri­ty, any remo­te access to data pres­ents a risk which should be addres­sed by an appro­pria­te clau­se of the con­tract. This clau­se should give the con­trol­ler the oppor­tu­ni­ty to assess the tech­ni­cal and orga­niza­tio­nal mea­su­res which have been taken to ensu­re that its data is pro­tec­ted during pro­ces­sing by employees working from home. The rele­vant clau­se should the­r­e­fo­re be admissible.

A uni­la­te­ral decis­i­on by the pro­ces­sor con­cer­ning the means of data pro­ces­sing does not in and of its­elf estab­lish an excess of assi­gned tasks. In a working paper on the con­cepts of “con­trol­ler” and “pro­ces­sor”, (PDF) the Artic­le 29 Data Pro­tec­tion Working Par­ty ack­now­led­ges that the con­trol­ler is not requi­red to make a detail­ed decis­i­on about every means of pro­ces­sing. But the cri­ti­cal point in this regard is that the con­tract includes an express clau­se to this effect, so that the pro­ces­sor is devia­ting from the controller’s clear ins­truc­tions with regard to the pro­ces­sing pro­ce­du­re. This cour­se of action would likely exceed the bounds set by the Artic­le 29 Data Pro­tec­tion Working Par­ty (cf. p. 31 of the working paper).

At the same time, such a cour­se of action could vio­la­te the GDPR, spe­ci­fi­cal­ly Artic­le 28(3)(a) of the GDPR. While pro­vi­si­ons rela­ting to employees working from home are not a man­da­to­ry com­po­nent of the agree­ment bet­ween the par­ties in accordance with the spe­ci­fi­ca­ti­ons in Artic­le 28(3) of the GDPR, pro­ces­sors having their employees pro­cess data from home may be defy­ing the controller’s ins­truc­tions, even if the rele­vant pro­vi­si­on is not requi­red by law.

In light of this situa­ti­on, the ques­ti­on is how pro­ces­sors affec­ted by the clau­se cited here, or a simi­lar clau­se, should pro­ceed to res­to­re com­pli­ance with the GDPR as quick­ly as pos­si­ble. First of all, they would be well-advised to clo­se­ly exami­ne the rele­vant clau­ses and the con­tract as a who­le. If, for exam­p­le, the con­tract includes a force majeu­re clau­se or allows the pro­ces­sor to obtain con­sent after the fact, such an alter­na­ti­ve may app­ly. If the con­tract does not include such a clau­se, a pos­si­ble breach could still be cured, in our view, if con­sent is issued after the fact, so that the processor’s role is ful­ly res­to­red. If the con­trol­ler refu­ses con­sent, such refu­sal may con­sti­tu­te a breach of trust in light of the processor’s con­trac­tu­al duty of assis­tance towards its employees and may the­r­e­fo­re be imper­mis­si­ble. Howe­ver, a sepa­ra­te exami­na­ti­on of this ques­ti­on is requi­red in each indi­vi­du­al case. The same appli­es for the pos­si­ble assump­ti­on of frus­tra­ti­on of con­tract in accordance with § 313 of the Civil Code, which could enable adjus­t­ment of the con­tract. Howe­ver, the hurd­le which would have to be cle­ared in this case would be hig­her than in the case of retroac­ti­ve con­sent, or con­s­truc­ti­ve con­sent in case of refusal.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.