GDPR infringement by home office in the case of data processing agreements (DPAs)

Many companies commission third parties to provide technical and other services. For example, a company U can commission an IT system house or a software supplier to provide maintenance and servicing services for software and hardware. Similarly, external marketing companies can be commissioned for newsletter campaigns. In order to comply with the requirements of the GDPR with regard to personal data, an agreement is often concluded for the processing of data on behalf (order processing; AVV for short). This is now causing difficulties in the event of a sudden home office.

Within the framework of a DPA, numerous inspection and monitoring regulations must be agreed and technical and organizational measures must be taken to protect personal data. One component of these regulations is the involvement of other contractors (sub-processors) that the contractor may use. Example: If the company U commissions a marketing company M with a newsletter campaign and M in turn uses a technical service provider V to carry out this customer order and send the emails, this company is a sub-processor. There is therefore a chain "U - M - V" with U as the client, M as the contractor and V as a sub-contractor of a commissioned processing.

However, whether the marketing company M is allowed to involve V at all is determined by the DPA between U and M. Sometimes the permitted sub-processors are listed there conclusively and sometimes a clause is included that makes further involvement subject to approval by - in the example - U. In other cases, an objection solution is possible. In other cases, an objection solution is provided for.

The annex to the DPA also describes in great detail which technical and organizational measures (TOM) must be in place for processors and sub-processors. As a rule, this goes so far as to specify the individual locking mechanisms of doors and describe fire protection systems.

If a home office is suddenly set up due to the coronavirus pandemic and - in the example above - the marketing company M and the shipping service provider V no longer provide their services from their respective premises, two problems in particular may arise:

  • Firstly, the employees of M and V will now no longer work from the premises of the respective company. The technical and organizational measures described in the order processing (e.g. access restrictions and fire protection systems) will no longer apply to the home office.

  • On the other hand, the employees of M and V will now use additional service providers, e.g. for remote access or video telephony, to carry out their activities. However, the use of such additional service providers must be permitted under the concluded DPAs.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) even recommends that a home office may only be used with the prior express written consent of the client and only if sufficient technical and organizational measures have been defined:

"Processing of data outside the premises of the processor (e.g. teleworking, home office, mobile working) requires the prior express written consent of the controller, which can only be granted after appropriate technical and organizational measures for the processing situation have been established."

If the existing DPAs do not already take sufficient account of a home office, legal measures are now required. In the simplest form, it may be necessary to inform the respective client, who generally has the right to object. In other cases, a contractual amendment will be necessary. In still other cases, the approval of the respective client will be required. However, it should also be noted that the protection of personal data itself is not freely available to the client. The previously agreed protection measures may therefore not be reduced at will, even in consultation with the client.

It is therefore advisable - if not already provided for in the DPA - to agree supplementary regulations on the use of subcontracted processors and at the same time to describe additional technical and organizational measures that apply specifically to the home office. In the case of particularly sensitive personal data, it may also be inadmissible to reduce the protective measures. However, in view of the current risks due to the coronavirus and Covid-19, this interest in the physical integrity of employees must also be taken into account in the assessment.

In all of this, it should be emphasized that not only one party to a DPA relationship is obligated. If the DPA is ineffective, this constitutes a breach of the GDPR for both the client and the contractor with the known range of fines. Existing data processing contracts should therefore be urgently checked to see whether additional measures are required due to the home office.

Date: 25. Mar 2020