Audit campaign by German DPAs

In June 2022, several German DPAs announced that they were aiming at reviewing data processing agreements of selected major providers in a broad-based, coordinated audit campaign. In a press release¹, the Berlin data protection authority ('Berlin Commissioner') announced its intention to review the standard agreements used by web hosting providers located in its jurisdiction with regard to their compatibility with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Other German DPAs, like the Lower Saxony data protection authority ('LfD Niedersachsen')², the Rhineland-Palatinate data protection authority ('LfDI Rheinland-Pfalz')³, the Saxon data protection authority ('SächsDSB'), the Sachsen-Anhalt data protection authority ('LfD Sachsen-Anhalt')⁴, and the Data Protection Authority of Bavaria for the Private Sector ('BayLDA')⁵, are also participating in this coordinated audit campaign.

Deficiencies in web hosters' data processing agreements

The background to the audit campaign is that - according to the German DPAs - even large web hosting providers repeatedly use data processing contracts that have deficiencies in practice. Customers (allegedly) regularly complain that the standard data processing agreements provided by web hosting providers do not fully comply with the requirements of the GDPR. Web hosting providers are also not always willing to amend their standard data processing agreements. In the same vein, the German DPAs themselves repeatedly identified deficiencies in such agreements in practice. In particular, according to the German DPAs, many standard data processing agreements do not provide sufficient evidence from the web hosting provider that it implements the data protection-related measures agreed contractually.

This can result in considerable issues for website operators. As data controllers, they must be able to prove vis-à-vis the DPA in question and the data subjects that they are complying with the requirements of the applicable data protection law.

Web hosting under the GDPR

If companies or organisations have their website or online store operated by an external web hosting provider, the latter processes personal data relating to the visitors of the website on behalf of the website operator. For the purposes of data protection law, the web hosting provider acts as a processor.

In order to establish a concrete data protection legal framework for this instruction-based data processing, website operators and the web host must enter into a data processing agreement. Article 28 of the GDPR sets out in detail the rights, obligations, and other requirements that such data processing agreements between controllers and web hosting providers must specify. However, numerous questions in relation to data processing agreements have not yet been fully clarified by the courts. There is therefore still considerable room for interpretation and thus legal uncertainty for the parties involved.

Checklist for examining data processing agreements

The coordinated audit campaign aims to support website operators and web hosting providers in concluding lawful data processing agreements. To this end, the German DPAs have developed a checklist for auditing data processing agreements.

In terms of content, the checklist specifies when the legal requirements under Article 28 of the GDPR for data processing agreements - in the opinion of the German DPAs - are met or not. The tabular checklist lists the audit program for data processing agreements, indicating the underlying legal provision in each case. It contains a large number of permissible and impermissible contractual clauses to be checked off as 'fulfilled' or 'not fulfilled' in two columns of the table. The German DPAs have published a completion aid which considerably facilitates the examination.

In the checklist, the German DPAs comment in particular on the following contract clauses of practical relevance, which are often the focus of attention when drafting and negotiating data processing agreements or are frequently concluded in an obviously unlawful manner:

• Reference to other contractual documents: The reference of the data processing agreement to other contractual agreements or other documents is permissible in itself. However, this also means that these other contracts or documents must be drawn up in the correct form (i.e. in writing or in electronic form).
• Definition of processing: The processing activity under the data processing agreement must be clearly defined. Otherwise, it is not possible to determine whether a particular processing is in accordance with the data processing agreement or an excess of the processor. However, the checklist clarifies that specifying the type of processing is not necessarily required if the subject matter and purpose are sufficiently defined.
• Own processing purposes: If a processor under the agreement is allowed to process the data actually to be processed on behalf of the controller for its own purposes, this does not constitute (any longer) a data processing agreement under Article 28 of the GDPR.
• Processing contrary to instructions: The processor may act contrary to the controller’s instructions only on the basis of Union or Member State law. Processing contrary to instructions based on third-country law, e.g. US laws, such as Section 702 of the Foreign Intelligence Surveillance Act (‚FISA‘), would be unlawful.
• Data deletion and return: The decision as to whether the processed data is deleted or returned upon termination of the processing is the sole responsibility of the controller. This right of choice cannot be delegated to the processor. However, a decision specified in advance in the agreement shall be permitted in the event that the controller has not communicated a choice by the end of the provision of the processing services, provided that a subsequent change remains possible.
• Use of sub-processors: The controller must also retain the power to make decisions on the use of sub-processors. If the processor is given too much leeway in this respect, the corresponding provision in the data processing agreement is unlawful.
• No exclusion of instruction rights: Occasionally, contractual clauses limit the controller’s rights to issue instructions to what is agreed in the data processing agreement and otherwise subject to a change request procedure. However, such contractual limitations may only have an impact on the question of whether an instruction to be executed by the processor triggers additional remuneration. It cannot be contractually excluded that the processor must carry out certain instructions.
• Support obligations: The processor is obligated vis-à-vis the controller to provide support in the event of data breaches, to guarantee data subjects' rights, or to enable inspections. In this context, the data processing agreement must not provide for a separate obligation on the part of the controller to bear the costs for carrying out these support services. Otherwise, compliance with data protection-related obligations would be jeopardised for economic reasons.
• Technical and organisational measures: According to the checklist, it is not required that the specific technical and organisational measures implemented by the processor (Article 32 of the GDPR) are laid down in the data processing agreement itself. Rather, it is sufficient to include in the contract an obligation that the processor will comply with the measures required under Article 32 of the GDPR, or a reference to a list of specific and currently sufficient technical and organisational measures, provided that the processor is obligated to dynamically adapt the implemented measures at a later stage as necessary. It is important to note, however, that this does not release the controller from its obligation to check the measures at any rate before the beginning of the processing and to provide evidence of such measures. For reasons of legal certainty, companies are recommended to contractually document the status quo of the technical and organisational measures when entering into the agreement.
• Rights of control: The controller's comprehensive right of control may also only be restricted within very narrowed limits. Contractual clauses restricting this right are only permissible if, and to the extent that, they prevent abuse of such right. This is often a significant issue in practice, as exercising of control rights, e.g. in data centres, can have a negative impact on (IT) security. Also in relation to control rights, it is inadmissible to agree upon a separate obligation to bear costs to the detriment of the controller.
• Confidentiality: Finally, confidentiality obligations in the data processing agreement must not be too strict and must in particular allow disclosure of information to supervisory authorities or data subjects. Otherwise, controllers cannot meet their accountability obligation (Article 5(2) of the GDPR).

Enforcement risks for companies

Website operators, as well as web hosting providers are well advised not to underestimate the legal risks arising if they fail to comply with the requirements for data processing agreements. The competent DPA may initiate investigations as part of the audit campaign or otherwise at any time, and take remedial measures based on their wide-ranging powers under the GDPR.

In addition, the DPA in question may also impose an administrative fine, if it finds that a company has violated the requirements of Article 28 of the GDPR for data processing agreements. In this case, the higher of up to € 10 million, or 2% of a company's total worldwide annual turnover for the previous year, may be imposed (Articles 83(4), 83(5), and 83(6) of the GDPR). However, fines in the upper part of the fine range seem to be quite unlikely to be considered in the cases at issue.

Non-binding nature of the checklist

The legal standards set out in the checklist are not legally binding specifications for the design of data processing agreements, but merely the legal opinion of the German DPAs involved. This means that German or European courts could take different legal views than those reflected in the checklist, i.e. they could, for example, evaluate contract clauses classified as impermissible in the checklist as permissible - or the other way round.

Practical relevance of the checklist

Nevertheless, companies should not underestimate the relevance of the checklist in practice. On the one hand, the checklist is applied as a legal standard by the participating German DPAs as part of the coordinated audit campaign. Companies that are customers of one of the affected web hosting providers must still be prepared to be contacted by the relevant DPA and subjected to an audit.

Furthermore, the published checklist is likely to become of considerable importance to companies in the future when it comes to preparing, assessing, and negotiating data processing agreements. Website operators, as well as web hosting providers can mitigate the risk of regulatory enforcement measures if they implement and comply with the checklist requirements, also because German DPAs tend to conduct data protection audits on the basis of documents, such as concluded contracts.

Finally, the checklist provides a good overview of contractual provisions of a processing contract that have been the subject of dispute so far and helpful arguments for or against certain contractual clauses. This applies to the conclusion of new, as well as already concluded data processing agreements. In the latter case, companies should consider working towards a contractual adjustment with their contractual partners, if necessary, under the checklist.

In this context, the Berlin Commissioner literally stated, that "We encourage all IT service providers to independently check their standard contracts and adapt them to the law. After all, high fines can be imposed not only on responsible parties who use IT service providers without a proper AV contract, but also on the IT service providers themselves".

The question now remains exciting as to whether DPAs other than those participating in the campaign will also adopt this legal standard for assessing data protection agreements.

Valentino Halim Senior Associate
[email protected]
Wilmer Hale, Frankfurt

1. Available at: https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/pressemitteilungen/2022/20220718-BlnBDI-AVV-Pruefung.pdf (only available in German)
2. See at: https://lfd.niedersachsen.de/startseite/infothek/presseinformationen/lfd-niedersachsen-pruft-auftragsverarbeitungsvertrage-von-webhostern-213575.html (only available in German)
3. See at: https://www.datenschutz.rlp.de/de/aktuelles/detail/news/News/detail/der-landesdatenschutzbeauftragte-rheinland-pfalz-prueft-auftragsverarbeitungsvertraege-von-webhostern/ (only available in German)
4. See at: https://datenschutz.sachsen-anhalt.de/fileadmin/Bibliothek/Landesaemter/LfD/PDF/binary/Pressemitteilungen/PM_02-2022.pdf (only available in German)
5. See at: https://www.lda.bayern.de/media/pm/pm2022_04.pdf (only available in German)