Are you a controller and want to hire a processor but do not know if the data protection contract that is offered fulfils the requirements of Art. 28 GDPR? Are you a processor processing personal data on behalf of a controller and want to ensure that your data protection contract is legally compliant?
In both of these cases, you should have your data protection contract assessed by one of our data protection experts. Our lawyers regularly examine and create data protection contracts for our clients in a variety of industries and sizes and know how to navigate the particularities and pitfalls of the General Data Protection Regulation (GDPR).
We will assess if your contract for the processing on behalf of a controller corresponds with the requirements of Art. 28 GDPR. In addition, we will evaluate the technical and organisational measures indicated by the processor on behalf of a controller and determine if these provide a suitable guarantee of security to the concerned parties according to Art. 32 GDPR. If this is not the case, there is a risk of penalty for both the controller and processor. This risk can be mitigated if data protection contracts are assessed before finalising to determine if any changes need to be made.
We will analyse the data protection contract provided by you, as well as any attachments to the contract, for completeness and legal compliance. You will receive a detailed assessment report listing specific changes to be made to the contract. Finally, we will give you an overall estimation of the contract’s legal compliance.
A data protection contract for the processing on behalf of a controller must be entered into if personal data will be processed through an instruction-dependent processor. Processors on behalf of a controller can be payroll firms, storage medium disposal companies, advertising or marketing agencies, cloud computing service providers, web or e-mail hosting services or even freelance workers.
The pending data protection contract regulates the rights and responsibilities of the controller and processor on behalf of the controller as well as any possible sub-processors that may be hired. In this way, it is ensured that the processor processes the data entrusted to him only for the purposes for which the controller collected the data. Most importantly, however, the processor is required to protect the data to the same extent. In order to actually ensure this protection, the controller will be granted supervisory rights in the contract.
Likewise, the contract should contain the limits of the processing on behalf of a controller and define the condition in which the processor violates the obligations of instruction-based processing and becomes the controller. Precisely defining this condition is in the interest of the controller as well as the processor.
The controller and processor are equally responsible to enter into a lawful data protection contract for the processing on behalf of a controller. Each party must take efforts to prepare the contract and ensure that it sufficiently covers the minimum requirements of Art. 28 GDPR.
Both parties can supply a template for the data protection contract. When using web hosting service providers as processors on behalf of a controller, for example, the choice is usually limited to accepting the data protection contract that is offered. Our lawyers can help here as well: through the contract assessment, you can come to a decision for or against a provider.
A contract for the processing on behalf of a controller must fulfil the requirements of Art. 28 GDPR. It contains a catalogue showing the minimum content that is required is available for this purpose.
To be able to carry out a complete assessment, all relevant contract documents and attachments must be made available, as shown in the following list:
- Main contract: The main contract is often referenced in the data protection contract. This is usually the service contract. If there are references to the main contract, the main contract is necessary for the assessment.
- Technical and organisational measures (TOM) according to Art. 32 GDPR: The so-called TOMs are often attached at the end of the data protection contract. These may be incorporated in a separate document: for example, a security concept or data protection concept, etc.
- List of sub-processors: The list of sub-processors provided by the processor is usually included in the data protection contract. If this information is included in a separate document, this document will be necessary for the assessment.
- Other relevant documents: In rare cases there may be other data protection information provided that would be required for assessing the data protection contract. If you have received such documents from the processor, please upload these as well.
Furthermore, it would help us if you briefly describe the service to be assessed. This description is usually a part of the contract, but this is not always the case.
Certificates can be used to verify already adopted technical and organisational measures (TOM). However, the certificates must be suitable and appropriate.
Please note that certificates are only one factor to be taken into account. In other words: Certificates are only indicators of TOMs but do not provide verification of their sufficiency. An overall assessment based on adequate information and verification is also necessary.
For the evidence to be effective, the testing scope and standards of the certificate must be known. This is the case with certification against a standard such as ISO 27001. Presently, data protection certificates without this significance are in circulation. These data protection certificates are often those that companies develop themselves but are not based on public standards. It is not self-evident what exactly was tested or on which standards the results were based.
An existing or pending data protection contract will be assessed specifically for legal compliance with the requirements of GDPR Art. 28 as well as for the suitability of evidence of the technical and organisational measures.
Unfortunately, we cannot evaluate whether the contract is advantageous to you in a specific case. Liability regulations, cost absorption, etc. will only be evaluated by us insofar that there exists a violation of the GDPR.
Please note the following guidelines regarding the service scope of our assessment of your data protection contracts:
- The assessment focuses exclusively on data protection, i.e. we will examine the contract documents against GDPR requirements. We will point out exactly where the document deviates from the law and show you how to make corrections. The assessment expressly does not determine legal compliance with laws other than the GDPR and if necessary, the UK Data Protection Act 2018 or the German Federal Data Protection Act.
- The assessment is comprised of an evaluation of the contract with recommendations for changes in German or in English. Specific suggestions on formulation will be offered but only to a limited extent.
- We assume no responsibility for the completeness and currency of the contract. We will only review the transmitted documents as they pertain to compliance with legal provisions.
- Should additional details be made by the controller, these will be deemed to be true.
- Services are considered rendered when the assessment results, including recommendations for action, are made available as a download.
- Services will be rendered within 15 workdays. The period begins on the workday after the upload of all the necessary contract documents for the assessment (data protection contract, main contract, technical and organisational measures, list of sub-processors, other relevant documents).