Documentation of data processing agreements - a topic for everyone!
by Dr. Jana Moser
& ISABELLA SCHAUFLER (TRANSLATION)
12. June 2020
Whether self-employed, small- and medium-sized companies or corporations: Which entrepreneur can offer all services from one source nowadays? Who works completely self-sufficiently, cannot be found via Google search or on social media? Hardly anyone. Therefore, partners or subcontractors are often consulted. However, this is precisely where mistakes are made. Mistakes that can become expensive.
When cooperating with other companies, customer or employee data are often - consciously or unconsciously - disclosed and (co)processed. Usually, these so-called personal data are based on the EU General Data Protection Regulation (GDPR), hence legal requirements must be followed. This, for example, can be the case if one has a fan page on Facebook, calls in a provider to send newsletters, hires an external IT administrator or entrusts a company with the disposal of confidential paper waste.
However, before specifically addressing the question of how a contractual partner or oneself should be classified in accordance to GDPR, i.e. when the question of responsibility arises and you ask yourself if a third party is responsible or if it is the case of a joint responsibility or a processor, the following basic questions about data processing must be considered:
1. Is personal data within the meaning of Art. 4 No. 1 GDPR processed in any way?
2. What data category does this data belong to?
3. Are these data to be assigned to special categories within the meaning of Art. 9 Para. 1 GDPR and therefore particularly in need of protection?
4. What type of data processing within the meaning of Art. 4 No. 2 GDPR is involved? Storage, organization, use, disclosure, etc.
5. For what specific purposes are these data processed?
6. On what legal basis from Art. 6 Para. 1 GDPR is this data processed?
7. Is a data protection impact assessment within the meaning of Art. 35 GDPR necessary?
8. What technical and organizational measures within the meaning of Art. 32 GDPR are taken to protect the data?
Once these points are clarified, one finally must decide: Is the contractual partner, service provider or customer a third party within the meaning of Art. 4 No. 10 GDPR, a jointly responsible person within the meaning of Art. 26 Para. 1 GDPR, or a processor within the meaning of Art. 4 No. 8 GDPR?
In addition to assistance from associations such as BITKOM, data protection supervisory authorities should also be consulted. The Bavarian State Office for Data Protection Supervision, for instance, has published guidance in the form of FAQs on GDPR with a distinction to commissioned processing. Although this is notlegally binding, it is not unusual for customers or even competitors to draw the attention of authorities to a company. In such cases, the supervisory authorities are obliged by the principle of official investigations to investigate and, consequently, to issue official orders or fines. Therefore, these official assessments help to make one's own legal evaluation. They also give an idea of how the supervisory authorities would assess the facts of the case if they were to examine them.
The lack of a contract for the processing of orders under Art. 28 GDPR, for instance, can be expensive especially when the written form rule (electronic formis also sufficient) is not observed, as this pursues documentation, preservation of evidence and authenticity assurance purposes. The Brandenburg State Commissioner for Data Protection and the Right of Access to Files, for example, imposed a fine of EUR 50,000 on a company because it had failed to conclude a written commissioned processing contract in time.
Finally, the question of who is responsible for what in the processing of personal data is becoming increasingly complex and unmanageable due to digitization. Therefore, even the highest courts have already dealt with the question of who is actually responsible for processing data on a Facebook fan page. As a result, a decision of the European Court of Justice was already issued on 5 June 2018. At that time, the judges saw a joint responsibility of Facebook Ireland and the fan page operators based on the European predecessor of the GDPR, the Data Protection Directive 95/46. It will be interesting to see whether the Federal Court of Justice will also take a position on who is (jointly) responsible and who is a third party at the hearing in the Facebook App Centre case on May, 28th 2020.
Whether your company is the responsible party, joint responsible party, or processor in the individual case, you must check legally. However, due to the general obligation to provide evidence in accordance with Art. 5 Para. 2 GDPR, the documentation of the result is not only reserved for the person responsible. A processor must also ensure that he documents his own data processing and that the contract is concluded in writing in accordance with Art. 28 Para. 9 GDPR. In an emergency, this contract should be concluded in a historically comprehensible manner.
To observe all above-mentioned verification steps is a laborious task, especially concerning recording the involvement of third parties and contract processors carefully. Here, a digital and intuitive data protection management system makes data protection documentation considerably easier. With the data protection module of the Akarion Compliance Cloud, we support you in ensuring that you
can record every involvement of contractual partners and thus fulfil your data protection documentation and verification obligations simply, efficiently and tamper-proof. In a system developed by data protection and IT security experts, you are enabled to compile your own directory of processing activities and create graphs of all contractual partners with whom or through whom you process personal data.
If you would like to learn more about data protection management with the Akarion Compliance Cloud, please contact us directly. We look forward to hearing from you.
About the author
Dr. Jana Moser works for Akarion as Senior Business Development and Key Account Manager.