D: Changes and amendments of the BDSG 2009: Outsourced Data Processing
Category: Nachrichten, GesetzBy: M. Belke - 2B Advice GmbH - the privacy benchmark
Amendments to the Federal Data Protection Act and the effect thereof on companies - Part 2
The requirements regarding outsourced data processing have been more concisely defined. Outsourced data processing is privileged data processing if data is processed by a third party as if it were being processed in-house.
While, in the past, this also required written award of contract, Section 11 (2) sentence 2 BDSG new version defines the requirements regarding the form this contract award must take in much more concrete terms. On the one hand, these serve legal certainty and, on the other hand, they enable compliance with the requirements of such agreement to be more easily monitored and penalized in the event of non-compliance. The clarification in Section 11 (2) sentence 2 BDSG new version is also new; pursuant to this rule, the principal must assure itself of compliance with the technical organizational measures implemented by the contractor even before data processing begins and at regular intervals thereafter. A one-off check is not sufficient and the results of the checks must be documented. The reasoning stated is: "In this way the degree of certainty necessary to be able to penalize non-compliance with a fine is achieved." It was refrained from setting a fixed time period, e.g. one year, in view of the broad range of outsourced data processing. Here, too, important shall be the scope and sensitivity of the data processing.
For companies, this means that they will need to review and, if necessary, amend their agreements with their data processors. Data processors working on behalf of companies can expect to face tougher, more regular checks. Checks must be carried out before receiving or awarding a data processing contract. All results of such checks must be recorded in full and must include useful information. Only through such documentation can the time of action be definitively proven and can the principal exonerate itself. Failure to correctly or fully award contracts or failure to verify the contractor's compliance with technical and organizational measures, either in advance or at regular intervals, constitutes an offense as defined by Section 43 (1) No. 2b BDSG new version and is subject to a fine of up to Euro 50,000.
(1409 times viewed)