The Berlin data protection authority ('the Berlin Commissioner') announced, on 19 July 2022, that it had started examining the data processing contracts of selected Berlin web hosts, after receiving consistent reports and enquiries from controllers regarding the contracts offered by such web hosts, stating their incompatibility with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Berlin Commissioner noted that organisations, acting as controllers, often operate their websites through an external service provider (a web host), which processes personal data on behalf of such organisations. Specifically, the Berlin Commissioner highlighted that among the reports received by controllers, such contracts offered by web hosts did not provide sufficient provisions to evidence that the web host is implementing required data protection measures.

As such, the Berlin Commissioner stated that, in support of controllers who carry the ultimate responsibility for processing, it will be conducting examinations of web hosts using a checklist developed specifically for such examinations and to remedy the deficiencies of web host contracts. In this regard, the Berlin Commissioner specified that the checklist, which comes along with instructions on its use, provides a standard for web host contracts, which can also be used in other areas, and encouraged all IT service providers to independently check their standard processor contracts and adapt them to the law. 

Notably, the Berlin Commissioner highlighted that other German data protection supervisory authorities have been involved in a coordinated examination of webhosts, including Lower Saxony, Rhineland-Palatinate, Saxony, Saxony-Anhalt, and Bavaria (LDA).

You can read the press release here, the checklist here, and instructions here, all only available in German.