Following a significant fine against the parties to an
asset acquisition for illegally transferring customer information,
the Bavarian Data Protection Supervisory Authority (Bavarian DPA)
announced on August, 20, 2015 that it has fined a company that
engaged a service provider based on a data processing agreement
which did not meet the requirements of Section 11 of the German
Federal Data Protection Act (FDPA). The technical and
organizational measures of the service provider were not specified
as required by Section 11 of the FDPA.
Since 2009, companies that engage service providers to process
personal data must enter into a very specific data processing
agreement. The FDPA sets forth various required provisions to be
included in such an agreement. For example, the parties must agree
that data processing operations will comply with the customer's
(data controller's) instructions, that the customer will have
audit rights that the processor will abide by, and that the
processor must implement technical and organizational data security
measures (TOMs) which must be specified in that agreement.
In practice, the foregoing requirements are often not followed in
data processing agreements for several reasons:
Service providers often deliver services globally pursuant to a
standard format and master services agreement in order to save
costs and to keep processes as operationally simple as possible.
Service providers naturally dislike the legal concept of EU data
privacy law according to which they must follow orders from their
customers and where they lose flexibility as regards their
Service providers often entirely refuse to agree to FDPA
compliant data processing agreements or they
provide for a description of TOMs which is insufficient from the
FDPAs perspective. For example, TOMs are described too broadly, or
sometimes, the description of the TOMs merely paraphrases the text
of the law.
Because customers – as the data controllers – bear
the burden of demonstrating compliance with the FDPA (and the
burdens of enforcement penalties), service providers are less
incentivized to proactively design and deliver their services and
agreements pursuant to FDPA requirements.
The Bavarian DPA has now
issued a five-digit fine against a company that engaged a service
provider without a data processing agreement that sufficiently
specified the TOMs. This is a fairly new development since in the
past, fines were often either not issued at all or issued only in
case where there was no data processing agreement at all.
Companies who are subject to German data privacy law, should put
more focus on ensuring that the data processing agreements
concluded with service providers fulfill all the requirements of
the FDPA. They cannot avoid fines by merely arguing that the
service provider was unwilling to enter into such an agreement.
Indeed, companies must be willing to negotiate aggressively or,
unfortunately, consider terminating negotiations should service
providers fail to accommodate German legal requirements.
Service providers who are active in the German market should be
thoughtful in further customizing their offerings from standard
data processing agreements so that they may evolve with the
developing enforcement regime. This will help the service providers
prevent unnecessary back-and-forth negotiations with their German
customers and will, in the end, increase their ability to compete
in the German market.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).