Commissioned processing or joint controllers

The outsourcing of computing processes to non-company (external) service providers is an operation that requires a review under data protection law in accordance with the requirement of a commissioned processing agreement under Article 28 of the GDPR or a joint controller agreement under Article 26 of the GDPR. The scope of responsibility of an external data protection officer includes the review of commissioning relationships of controllers (principals) who use external service providers for the execution of orders. In Art. 28 DSGVO, the legislator has regulated the rights and obligations of the controller and the processor (contractor) in the event of commissioned processing. Among other things, an agreement on commissioned processing is mandatory between the controller (responsible party) and the processor. Failure to comply with the legal obligation to conclude the necessary agreement is subject to a fine pursuant to Article 83 (4) (a) of the GDPR. In addition, there is joint and several liability between the controller and the processor pursuant to Art. 82 (4) GDPR. A characteristic feature of an agreement on commissioned processing is the legally anchored control powers of the controller, which ensure that the controller can regularly ascertain the existence of and compliance with technical and organizational measures at the processor. In this way, the legislator takes into account the fact that the entity responsible for collecting the personal data remains responsible for this personal data even if a third party carries out data processing on its behalf and ensures that the processing takes place in a manner that is permissible under data protection law. Other special features of commissioned processing must always be clarified in advance and taken into account in the corresponding agreement pursuant to Art. 28 GDPR. In the case of agreements with foreign processors, the data protection level of the state in which the processor carries out the data processing is also of great importance for the classification under data protection law. It is also unavoidable to have data protection-compliant regulations on the individual rights and obligations of both companies involved in the commissioned processing, which include control rights, subcontracting relationships, authority to issue instructions and handling of the personal data after termination of the contractual relationship. In the case of intra-group processing of personal data, contracts of joint controllers are often applied, since in addition to the subsidiaries, the parent company also has its own interest in the processing of personal data of the subsidiaries and uses it for its own purposes. Subsidiaries and parent companies, as joint controllers, decide on the purposes and means of data processing.

Our law firm advises on the following issues in the area of commissioned processing:

  • Assessment of whether the case of a commissioned processing according to Art. 28 DSGVO exists
  • Review of the company’s list of creditors in order to identify active processors
  • Delineation whether a contract jointly responsible party according to Art. 26 DSGVO is required
  • Support in the recording of the Data Workflow in various IT applications in group structures
  • Depending on the data workflow, structuring of the required data protection agreements (Art. 28, Art. 26 DSGVO, framework agreements)
  • Design of data protection-compliant agreements for commissioned processing
  • Design of joint processing agreements
  • Examination of the required information on technical-organizational data protection
  • Conducting reliability checks of external service providers, e.g. by means of a data protection audit
  • On-site visits, inspection of the IT and TC infrastructure to check the reliability of the external service provider under data protection law
  • In the case of external service providers in a third country outside the EU, data protection assessment of the present case groups for concluding the necessary agreements on commissioned processing/shared responsibility and/or EU standard data protection clauses (selection of the modules)