T 2.169 Lack of or inadequate protection of commissioned data processing regarding the processing of personal data

Outsourcing activities in the field of data processing by way of commissioned data processing is admissible on the understanding that the customer is responsible for the compliance with the data protection provisions. The contract must be awarded taking into consideration the technical and organisational suitability of the contractor. The contract must be in writing, whereby the data processing, as well as the related technical and organisational safeguards must be described. These safeguards particularly include the guarantee of contract control. The contractor remains bound by instructions regarding data processing.

These provisions are also applicable to inspecting and maintaining technical systems serving for automated processing of personal data (remote maintenance).

Examples:

• A company wants to outsource the technical part of payroll accounting to a service provider within the framework of an application service. Data is processed in such a way that employees of the service provider also have access to the payroll data within the framework of administration and data backup. The contractual agreements only provide provisions for the availability of and for restarting the payroll accounting service. For unknown reasons, payroll information of employees of the customer is published. This information is used to criticise the incomes of the employees. Competitors try to headhunt employees with better offers and to damage the competition this way. Affected employees complain to the competent regulatory authority.
• Within the framework of a review of the customer's data processing, the regulatory authority finds missing provisions for commissioned data processing, because essential contractual agreements for ensuring the data protection provisions (at this point particularly referring to the implementation of the security objectives of the Data Protection Act, review of the implementation with the service provider, and agreements for the case of poor implementation) are missing. The regulatory authority must query this and requests the customer remedy the shortcomings in the short term.