The Bavarian Data Protection Authority (DPA) has in the past month imposed a five digit fine on a Data Controller which failed to adequately specify the necessary security controls protecting personal data in a data processing contract with a Data Processor.
The DPA stated in the press release that the data processing contract at issue omitted compulsory data security measures which should have been included in order to protect the personal data. The statement noted that the contract between the two parties was not specific enough and merely repeated some of the relevant legislative provisions.
According to the German Federal Data Protection Act, Data Controllers must impose detailed data security measures on Data Processors in data processing contracts. The text of such a contract must specifically ensure that the Data Controller can examine whether or not the Data Processor has the capacity to adequately safeguard the personal data involved. The DPA states in the above press release that these measures must be unambiguous and that failure to comply may be punished by fines of up to €50,000.00.
The Data Protection Acts, 1988 and 2003 define a Data Controller as “a person who, either alone or with others, controls the contents and use of personal data” while defining a Data Processor as “a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment”.
This separate distinction is emphasised by the Office of the Data Protection Commissioner:
“Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor.”
A certain benchmark has now been set by the DPA, and Data Controllers are well advised to take heed of the punitive measures which have been imposed in this instance. Specific security criteria must be employed when parties contract to share customer/client person data. Furthermore, principal responsibility when such a contract is formed rests ultimately with the Data Controller who is obliged to comply with particular rules regarding how they collect and store data.
These rules, and other relevant information for Data Controllers, can now be accessed via PrivacyEngine. If you have any specific questions then feel free to get in touch. We look forward to hearing from you.