Fine for lack of a processing contract

Date of publication

Heise online reported on 20 January 2019 that a small company must pay a fine of EUR 5,000 because it had not concluded a data processing contract with the service company it had engaged. Although it had asked the partner company several times in vain for a data processing agreement (DPA), it had not drawn any consequences. Instead of not concluding the service contract in the first place or at least terminating the current contract, personal customer data continued to be exchanged.

A missing order processing contract can cost money

The now penalised company should have acted immediately when the DPA failed to materialise. Simply continuing to employ the service provider without this safeguard was a clear violation of the GDPR. This is because the obligation to conclude an additional agreement on data protection does not apply unilaterally, but to both parties - the client as data controller as well as the processor.

What to do if the processor does not provide a DPA?

When processing personal data between the contractor and the client, an DPA is mandatory. This not only regulates the processing of personal data, but also describes the technical and organisational measures (TOM) that contribute to data security.

When commissioning third parties, one should always make sure that a DPA is concluded. In the case of existing service contracts without a DPA, this supplementary agreement must be requested as soon as possible if it has not already been done. If the processor then refuses or does not react, this is an extraordinary reason for termination (§ 315 BGB - termination of continuing obligations for cause). Action must be taken immediately.

Conclusion

It seems that small businesses still find it difficult to draw up a DPA. The multitude of sample templates on the internet are more confusing than helpful for some entrepreneurs.

Responsible persons ask themselves: "Is the template really legally compliant? Does it meet the requirements of the General Data Protection Regulation?"

Profile picture for user DeepL

DeepL is a deep learning company that develops AI systems for languages. The company, based in Cologne, Germany, was founded in 2009 as Linguee, and introduced the first internet search engine for translations. Linguee has answered over 10 billion queries from more than 1 billion users.

Profile picture for user manfred.woeller

Manfred Wöller

Manfred Wöller is a TÜV-certified data protection officer who makes data protection requirements technically feasible as part of the team. He is also a passionate vegan cook who takes care of the physical well-being at community events.