Following a significant fine against the parties to an asset acquisition for illegally transferring customer information, the Bavarian Data Protection Supervisory Authority (Bavarian DPA) announced on August 20, 2015 that it has fined a company that engaged a service provider based on a data processing agreement which did not meet the requirements of Section 11 of the German Federal Data Protection Act (FDPA). The technical and organizational measures of the service provider were not specified as required by Section 11 of the FDPA.
Since 2009, companies that engage service providers to process personal data must enter into a very specific data processing agreement. The FDPA sets forth various required provisions to be included in such an agreement. For example, the parties must agree that data processing operations will comply with the customer's (data controller's) instructions, that the customer will have audit rights that the processor will abide by, and that the processor must implement technical and organizational data security measures (TOMs) which must be specified in that agreement.
In practice, the foregoing requirements are often not followed in data processing agreements for several reasons:
The Bavarian DPA has now issued a five-digit fine against a company that engaged a service provider without a data processing agreement that sufficiently specified the TOMs. This is a fairly new development since in the past, fines were often either not issued at all or issued only in case where there was no data processing agreement at all.
Companies who are subject to German data privacy law, should put more focus on ensuring that the data processing agreements concluded with service providers fulfill all the requirements of the FDPA. They cannot avoid fines by merely arguing that the service provider was unwilling to enter into such an agreement. Indeed, companies must be willing to negotiate aggressively or, unfortunately, consider terminating negotiations should service providers fail to accommodate German legal requirements.
Service providers who are active in the German market should be thoughtful in further customizing their offerings from standard data processing agreements so that they may evolve with the developing enforcement regime. This will help the service providers prevent unnecessary back-and-forth negotiations with their German customers and will, in the end, increase their ability to compete in the German market.
For more information about these developments, please contact Dr. Christian Schröder, Orrick's head of IP/IT & Data Privacy Practice Group in Germany, at +49 211 3678 7249 or [email protected], Antony Kim, global co-chair of Orrick's Cybersecurity & Data Privacy team at (202) 339-8493 or [email protected] or Aravind Swaminathan, global co-chair of Orrick's Cybersecurity & Data Privacy team at (206) 839-4340 or [email protected].