By Dr.
Christian Schröder | Sophie
Ratzke
Following a significant fine against the parties to an asset
acquisition for illegally
transferring customer information, the Bavarian Data Protection
Supervisory Authority (Bavarian DPA) announced on August,
20, 2015 that it has fined a company that engaged a service
provider based on a data processing agreement which did not meet the
requirements of Section 11 of the German Federal Data Protection Act
(FDPA). The technical and organizational measures of the service
provider were not specified as required by Section 11 of the
FDPA.
Background
Since 2009, companies that engage service providers to process
personal data must enter into a very specific data processing
agreement. The FDPA sets forth various required provisions to be
included in such an agreement. For example, the parties must agree
that data processing operations will comply with the customer's
(data controller's) instructions, that the customer will have audit
rights that the processor will abide by, and that the processor must
implement technical and organizational data security measures (TOMs)
which must be specified in that agreement.
In practice, the foregoing requirements are often not followed in
data processing agreements for several reasons:
- Service providers often deliver services globally pursuant to
a standard format and master services agreement in order to save
costs and to keep processes as operationally simple as possible.
Service providers naturally dislike the legal concept of EU data
privacy law according to which they must follow orders from their
customers and where they lose flexibility as regards their TOMs.
- Service providers often entirely refuse to agree to FDPA
compliant data processing agreements or they provide for a
description of TOMs which is insufficient from the FDPAs
perspective. For example, TOMs are described too broadly, or
sometimes, the description of the TOMs merely paraphrases the text
of the law.
- Because customers – as the data controllers – bear the burden
of demonstrating compliance with the FDPA (and the burdens of
enforcement penalties), service providers are less incentivized to
proactively design and deliver their services and agreements
pursuant to FDPA requirements.
The Bavarian DPA has now issued a five-digit fine against a
company that engaged a service provider without a data processing
agreement that sufficiently specified the TOMs. This is a fairly new
development since in the past, fines were often either not issued at
all or issued only in case where there was no data processing
agreement at all.
Outlook
Companies who are subject to German data privacy law, should put
more focus on ensuring that the data processing agreements concluded
with service providers fulfill all the requirements of the FDPA.
They cannot avoid fines by merely arguing that the service provider
was unwilling to enter into such an agreement. Indeed, companies
must be willing to negotiate aggressively or, unfortunately,
consider terminating negotiations should service providers fail to
accommodate German legal requirements.
Service providers who are active in the German market should be
thoughtful in further customizing their offerings from standard data
processing agreements so that they may evolve with the developing
enforcement regime. This will help the service providers prevent
unnecessary back-and-forth negotiations with their German customers
and will, in the end, increase their ability to compete in the
German market.
For more information about these developments, please contact Dr.
Christian Schröder, Orrick's head of IP/IT & Data Privacy
Practice Group in Germany, at +49 211 3678 7249 or cschroeder@orrick.com, Antony
Kim, global co-chair of Orrick's Cybersecurity &
Data Privacy team at (202) 339-8493 or akim@orrick.com or Aravind
Swaminathan, global co-chair of Orrick's Cybersecurity &
Data Privacy team at (206) 839-4340 or aswaminathan@orrick.com.
Orrick's Cybersecurity and Data Privacy Group is an interdisciplinary team with members in the U.S., Europe and Asia. We craft practical solutions across a host of risk management, consumer protection, brand protection, investigatory and litigation contexts. We leverage our relationships with leading privacy and security consultants, domestic and international law enforcement, government, academia and policy groups, so that our clients benefit from multi-angle solutions. |