Start-ups or small companies often do not have an in-house privacy department, which would for example deal with contract data processing. Tips for lateral entrants
Who does contract data processing apply to?
If a company, as a contractor, technically records, processes or uses personal data bound by instructions, there has to be a written agreement for contract data processing between the customer and the contractor (cf. Article 11 Paragraph 2 Sentences 1 and 2 BDSG). This agreement controls rights and obligations of the respective parties.
Essentials for digital companies in Germany
As a subscription management platform, billwerk, too, is obliged to agree on Contract Data Processing with their customers. For subscription companies which are active on the German market, it is also advisable to choose a platform that is compliant with Contract Data Processing. Compared to US providers, German platforms usually perform better.
Examples for data processing services according to Article 11 BDSG are:
- Cloud computing (productive systems or backup solutions)
- Maintenance of IT systems or telecommunication systems (if not coming under TA)
- External support
- Data processing for wages and salary accounts or financial accounting
- Processing of advertising addresses in a lettershop
- Contact data ascertainment through call centers
Issue of the federal government or the federal states?
The Federal Data Protection Act applies for private-law companies – such as GmbH, AG, OHG (Article 11 BDSG), not the respective federal state data protection laws (LDSG).
Who is in charge?
The customer solely bears responsibility for personal data ant their recording, processing or usage. The customer, however, can request regular checks or external audits from their contractor or service provider. The purpose of these requests is safeguarding the technical and organizational safety precautions. The checks have to be documented.
Contents of Contract Data Processing
- Object and duration of the agreement
- Extent, nature and purpose of the service (data collection, -processing or -usage)
- Concerned groups of persons of the data collection, -processing or -usage
- Obligation to implement technical and organizational measures
- Clauses for correction, deletion and blocking of data
- Control rights and inspection duties and documentation obligation
- Authority to issue directives
- Disclosure Requirement in case of violation
- Regulation of procedures after termination of the contract
- If necessary: regulation of sub-contractual relations
Contract Data Processing or Transmission of Functions?
The border between contract data processing and the transmission of functions (Article 3 Paragraph 4 No. 3 BDSG) sometimes seems hard to define. An indication can be the decision-making authority. According to contract data processing, the contractor limits to the technical handling of personal data – bound by instructions, without any decision-making scope and never for own purposes. The contractor also doesn’t render any material contractual performances. Whereas, if the whole task is outsourced, for example with the authority to decide or content-related organization of the overall process, the transmission of function applies.
Checklist: Contract Data Processing or Transmission of Functions?