Impact of Covid-19 on processing contracts: written form and prohibition on working from home?
In accordance with the guidelines adopted by the federal and state governments to limit social contacts, citizens are called upon to reduce contacts with others to an absolute minimum in order to contain the coronavirus.
In the weeks prior to the publication of these guidelines, many companies had already assigned their employees to work from home if possible. However, the decentralization of the work performed by these employees raises unique practical questions and issues in data protection law.
Specifically, it raises the question of how assigning employees to work from home can affect the conclusion and performance of processing contracts.
Do processing contracts have to be signed by hand on paper?
What should be done if employees who are authorized to sign for the company are working for home but have no way to print out, sign and return an original copy of the processing contract to the other party? Our view is that the contract does not have to be signed by hand. Rather, e.g. an e-mail exchange of PDF documents is sufficient if the parties' intent to be bound by the contract and the referenced documents are clearly evident from the e-mail correspondence.
In accordance with Article 28(9) of the GDPR, processing contracts must be set down in writing, although this may generally be done in an electronic format as well. However, it is unclear whether any other specific requirements can be derived from Article 28(9) of the GDPR with respect to the form of the contract. It is necessary to consider whether contracts with processors have to be signed by hand in every case (which would be consistent with the written form requirement in accordance with the Civil Code). Arguing against this view is the fact that Article 28(9) relates to the drafting of the contract, not to its signing (i.e. its conclusion). Moreover, an examination of how the terms "writing" and "electronic" are used elsewhere in the GDPR makes clear that the drafters of the Regulation likely did not have in mind a written form requirement like the one which we know from German civil law. For example, the clause relating to the provision of information, Article 12(1) of the GDPR, states that information is to be transmitted in writing or in another form, even electronically if appropriate. It is generally acknowledged that the requirement for provision "in writing" does not mean that the data privacy statement has to be drafted by hand: rather, it may be printed out instead. In the interests of ensuring that terms are applied consistently within the GDPR, the same understanding should apply within the bounds of Article 28(9) of the GDPR. This argument is tenable in light of the fact that requirements for written form could have more than one purpose, and that in the case of processing contracts, lawmakers were likely concerned more with ensuring that agreements between the parties are documented than with warning the parties against overhasty conclusion of the agreement.
This view has been confirmed in practice. In the past, the EU Commission has demonstrated openness to various ways in which processing contracts can be entered into electronically. In the view of the Data Protection Authority for the State of Bavaria as well, use of a qualified electronic signature is not mandatory, but is rather just one of the possible ways in which a contract can be entered into electronically (https://www.lda.bayern.de/media/FAQ_ADV_Formerfordernis.pdf).
Working from home requires the controller's prior consent. Now what?
In accordance with the model agreement on data processing published by the Federal Commissioner for Data Protection and Freedom of Informationrequires the controller's express prior consent in writing, and such consent may be issued only after appropriate technical and organizational measures are defined for the processing situation (§ 3(9) of the model agreement).
In recent weeks, many companies have reassigned many of their employees to work from home at short notice. In many cases, this includes those engaged in processing the controller's personal data as employees of the processor.
If the processor is contractually required to follow the above procedure, the question is raised whether this course of action breaches the processing contract and, if so, what the consequences are of such a breach.
In accordance with Article 28(10) of the GDPR, acting unilaterally, e.g. without the controller's prior consent, to reassign employees to work from home could transform the processor into the controller (excess of assigned tasks or functions). The first question in this regard is whether the present situation is even covered by the home office clause of the model agreement (i.e. by its meaning and purpose). One could argue that the (physical) location of the processing is what matters, not the place from where employees can access the data. Accordingly, the clause would not be breached if the processor's employees could access the company's servers remotely from home and process the controller's data there. However, this argument will likely be rejected. From the viewpoint of IT security, any remote access to data presents a risk which should be addressed by an appropriate clause of the contract. This clause should give the controller the opportunity to assess the technical and organizational measures which have been taken to ensure that its data is protected during processing by employees working from home. The relevant clause should therefore be admissible.
A unilateral decision by the processor concerning the means of data processing does not in and of itself establish an excess of assigned tasks. In a working paper on the concepts of "controller" and "processor", (PDF) the Article 29 Data Protection Working Party acknowledges that the controller is not required to make a detailed decision about every means of processing. But the critical point in this regard is that the contract includes an express clause to this effect, so that the processor is deviating from the controller's clear instructions with regard to the processing procedure. This course of action would likely exceed the bounds set by the Article 29 Data Protection Working Party (cf. p. 31 of the working paper).
At the same time, such a course of action could violate the GDPR, specifically Article 28(3)(a) of the GDPR. While provisions relating to employees working from home are not a mandatory component of the agreement between the parties in accordance with the specifications in Article 28(3) of the GDPR, processors having their employees process data from home may be defying the controller's instructions, even if the relevant provision is not required by law.
In light of this situation, the question is how processors affected by the clause cited here, or a similar clause, should proceed to restore compliance with the GDPR as quickly as possible. First of all, they would be well-advised to closely examine the relevant clauses and the contract as a whole. If, for example, the contract includes a force majeure clause or allows the processor to obtain consent after the fact, such an alternative may apply. If the contract does not include such a clause, a possible breach could still be cured, in our view, if consent is issued after the fact, so that the processor's role is fully restored. If the controller refuses consent, such refusal may constitute a breach of trust in light of the processor's contractual duty of assistance towards its employees and may therefore be impermissible. However, a separate examination of this question is required in each individual case. The same applies for the possible assumption of frustration of contract in accordance with § 313 of the Civil Code, which could enable adjustment of the contract. However, the hurdle which would have to be cleared in this case would be higher than in the case of retroactive consent, or constructive consent in case of refusal.