Processing – changes in data protection regulations
In practice, entire work processes that include the processing of personal data are often outsourced to external service providers. The German Federal Data Protection Act (BDSG) has until now outlined detailed regulations concerning the choice and contracting of such service providers, in order to ensure the privileged status of processors.
With the General Data Protection Regulation (GDPR) coming into effect, this scope too will be supplanted by the immediate impact of the Regulation, meaning German companies can expect the changes outlined in the following:
Privileged treatment according to Section 3(8) sentences 3, 11 BDSG
Up until now, the BDSG has ensured a privileged status for processors within the European Economic Area. This legally privileged status results from Section 3(8) sentence 3 BDSG, according to which persons or bodies that are within Germany, within a member state or within the European Economic Area, who collect, process or use personal data on commission, are not considered third parties by law. From the perspective of data protection, they are considered responsible. In consequence, the transfer of personal data does not require justification, as it is not a transferal as defined by Section 3(8) BDSG, but simply a transferal of data within that same responsible person’s organisation. The transferal to processors in third countries is, however, exempt from privileged status and would require justification.
What will happen to privileged status?
The extent of the changes to this privileged status that the GDPR, which will come into effect on May 18th 2018, will entail remains a controversial question among experts. On the one hand, some share the opinion that the privileged status will remain intact, indeed see the local scope of application extended, resulting in a privileged status not only within the European Economic Area but also within third countries. Others expect the norms of the GDPR to be interpreted in such a way that the privileged status will be dropped completely and only the local scope of application extended. That way, any data processing would be subject to the GDPR as long as either those responsible or the processors are located within the EU; whether the data processing itself occurs within the EU or not would be irrelevant.
Theory of privileged status
According to the so-called theory of privileged status, there is no requirement of justification as long as the conditions of Article 28 GDPR are fulfilled. Supporters of this opinion argue the wording of Article 28(3) GDPR speaks for itself: Article 28(3), namely, stipulates that “processing by a processor shall be governed by a contract or other legal act under Union or Member State law”. Thus it stands to reason that the agreement concluded in accordance with Article 28 GDPR can be considered the basis for justification.
Furthermore, a systematic interpretation would reveal that in Article 4(2) GDPR, processing is used as a uniform term that does not differentiate between varying processing stages. Thus the transferal to a contracted processor would be covered by the same justification as that for the controller’s data processing.
In order to understand the terms and classifications of the GDPR correctly, it should be categorised not as a successor of the BDSG, but as a successor of the Data Protection Directive 95/46/EC. It then makes sense that the Directive 95/46/EC should imply the privileged status of contracted data processing, and that the GDPR would then intend to take this further in an explicit form. Both contain regulations, in Art. 16 Directive 95/46/EC and Art. 29 GDPR respectively, that postulate such a privilege, as these regulations allow processing in compliance with the directives.
A further argument for this point of view is based on the protective purpose of the norm: If the theory of justification were followed, this would mean that the outsourcing of data processing, which in practice is common, would be out of the question, meaning the processing would remain with the controller, whose expertise is not in the processing of personal data. Thus the controller would be far less capable of protecting personal data than a specialised service provider who could guarantee a higher level of data protection.
According to this view, the scope of application of the privilege would also be extended to over the borders of the European Economic Area, meaning that the GDPR would bring considerable relief to companies that outsource their data processing to other service providers.
Theory of the need for justification
The theory of the need for justification is in opposition to this and argues mainly with the definition of processing according to Article 4(2) GDPR. Said definition does not differentiate between the collection, processing or use of data, meaning the question of ‘transmission’ or ‘retrieval’ as defined in Section 3(4(3)) BDSG is irrelevant. One could still, in accordance with Article 4(3) BDSG, distinguish between transferal as a subset of disclosure and disclosure as a subset of processing. This, however, would not lead to a different legal consequence, as any transferal requires legal permission, whether in the form of consent or the fulfilment of the requirements of Article 6(1) GDPR.
In this respect, it will be interesting to see whether processors will enjoy privileged status once the GDPR has come into effect.
As the case has been up thus far, contracted data processing is only possible on the basis of a contract which, in contrast to the regulations of Section 11(2) BDSG does not have to be in writing, but does have to be compliant with the requirements of Article 28(3) GDPR:
- Personal data may only be processed on the controller’s documented instruction.
- The processor must guarantee those processing are under obligation of confidentiality.
- All necessary measures according to Article 32 must be taken.
- Personal data must either be deleted or returned upon completion of the service.
- The controller must have access to any information necessary for proving adherence to the aforementioned obligations.
Furthermore, the controller must first give authorisation in accordance with Article 28(2) GDPR if a processor intends to engage a sub-contractor for the processing. If the obligation of Article 28(4) GDPR were taken literally, meaning the same data protection obligations would apply to any further processors, and thus the same contract would have to be made as between the controller and the processor, then in practice the hiring of sub-contractors would most probably be impeded.
Liability changes in the GDPR
Further changes are to be found in the new regulations regarding processors’ liability: While previously, in accordance with Section 11(1) sentence 1 BDSG, only the controller was liable, Article 82(1) GDPR now results in joint liability of the controller and the processor.