Commissioned data processing without a proper contract can be expensive

If a company commissions an external service provider to collect, process or use personal data, a written commissioned data processing agreement must be concluded. The German Federal Data Protection Act stipulates which provisions must be included in such a contract. The technical and organizational measures that the external service provider must take are particularly important. These must be established in writing and sufficiently specified. If such regulations are missing or incomplete, or if the other requirements for the commissioning of external service providers pursuant to Section 11 BDSG are not complied with, the supervisory authorities may impose fines.

Only recently, the Bavarian State Office for Data Protection Supervision imposed a five-digit fine on a company that had concluded written commissioned data processing agreements with its service providers, but had not specified sufficiently concrete technical and organizational data security measures. Blanket statements and repetitions of the legal text are not sufficient in this respect – rather, a final determination of the concrete measures taken must be made within the framework of the contract. Only in this way can the commissioning company actually assess in practice whether the personal data is sufficiently protected at the contractor.

The Bavarian State Office has announced that it will continue to pursue this issue and impose further fines in the event of inadequate contracts. Other privacy regulators are likely to follow suit. When commissioning external service providers, care must therefore be taken to ensure that the cooperation is contractually structured accordingly – in particular, caution must be exercised when using model contracts!