S 2.511 Regulation of commissioned data processing regarding the processing of personal data

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Specialists Responsible, IT Security Officer

If personal data are processed on a customer's behalf, the responsibility to comply with the laws and data protection regulations remains with the customer. The customer must choose the contractor carefully.

Commissioning must be made in writing in accordance with statutory regulations and any sub-contracts must be specified (§ 11 BDSG). In some areas, additional statutory regulations must be observed, for example, federal hospital acts.

The requirements for the contract with the contractor must reflect the level of protection required by the personal data to be processed on the customer's behalf: The higher the level of protection required, the tighter and more precise the contract. In case of particularly sensitive processing procedures, commissioning to external contractors may be prohibited (e.g. investigation data).

Contractors must ensure that data processed on the customer's behalf is only processed in accordance with the instructions of the customer. Sub-contracts are subject to approval of the customer.

If the contractor is not a public agency, the persons involved in the processing of personal data must be obliged to data secrecy when commencing their work.

With respect to social data the provisions of the Social Security Code (SGB) must be observed. Commissioned processing of personal data by non-public offices is only admissible if otherwise operational disruptions may occur or if part processes of automatic data processing become significantly more cost-effective and the contract does not include the storage of the complete database of the customer (§ 80 Para. 5 SGB X). The regulatory authorities must be notified as required.

The customer and, where applicable, the Data Protection Officer responsible are entitled to perform inspections at any time.

Review questions:

• Were all relevant data protection aspects taken into account in the contractual arrangements for commissioned data processing where personal data is processed?
• Is it ensured that external service providers only process the data processed on the customer's behalf in accordance with the instructions of the customer?
• Were all employees of the contractor also obliged to data secrecy when commencing their employment?