Minor data protection offenses were often considered venial sins until now. No one took them seriously; after all, they were hardly ever brought to the attention of the relevant authorities – and fines were few, if any.
A recent ruling could radically change this. Indeed, the Bavarian State Office for Data Protection Supervision recently imposed a five-figure fine because a company had failed to specify the necessary technical and organizational measures for processing personal data.
How can you protect yourself? First, you should work with your data protection officer to determine the areas in which you operate as a client. An obvious example is, for example, an order for the production of mailings by a lettershop. But even beyond such clear areas, there are processes in every company in which third parties handle personal data directly or indirectly. Such processes must be identified.
Even the contractual relationship with a software supplier such as TOLERANT Software GmbH & Co. KG can be commissioned data processing if “the testing or maintenance of automated procedures or of data processing systems is carried out by other bodies on behalf and access to personal data cannot be ruled out.” (Section 11 (5) of the German Federal Data Protection Act).
This is the case, for example, if we or other service providers gain access to systems on site or by remote access (e.g. via the Internet).
You should then check the respective contractual relationships. In addition to the legal obligations under Section 11 of the German Federal Data Protection Act, the so-called technical-organizational measures under Section 9 of the German Federal Data Protection Act should be documented. Free forms for commissioned data processing can be found on the Internet.
Finally, we would like to encourage you to also conclude a contract for commissioned data processing with us if it seems necessary – and in case of doubt, it always is.
Do you have any questions? Then write to us or give us a call. We will be happy to assist you in drawing up the contract documents for commissioned data processing.
Data Protection Officer (IHK)
This post is also available in DE.