Heise online reported on 20 January 2019 that a small company must pay a fine of EUR 5,000 because it had not concluded a data processing contract with the service company it had engaged. Although it had asked the partner company several times in vain for a data processing agreement (DPA), it had not drawn any consequences. Instead of not concluding the service contract in the first place or at least terminating the current contract, personal customer data continued to be exchanged.
A missing order processing contract can cost money
The now penalised company should have acted immediately when the DPA failed to materialise. Simply continuing to employ the service provider without this safeguard was a clear violation of the GDPR. This is because the obligation to conclude an additional agreement on data protection does not apply unilaterally, but to both parties - the client as data controller as well as the processor.
What to do if the processor does not provide a DPA?
When processing personal data between the contractor and the client, an DPA is mandatory. This not only regulates the processing of personal data, but also describes the technical and organisational measures (TOM) that contribute to data security.
When commissioning third parties, one should always make sure that a DPA is concluded. In the case of existing service contracts without a DPA, this supplementary agreement must be requested as soon as possible if it has not already been done. If the processor then refuses or does not react, this is an extraordinary reason for termination (§ 315 BGB - termination of continuing obligations for cause). Action must be taken immediately.
It seems that small businesses still find it difficult to draw up a DPA. The multitude of sample templates on the internet are more confusing than helpful for some entrepreneurs.
Responsible persons ask themselves: "Is the template really legally compliant? Does it meet the requirements of the General Data Protection Regulation?"