The processing of personal data by third parties, processors, is part of the networked economy. No company can operate economically today without processing. Article 28 of the GDPR places 100% of the responsibility in the hands of the client, who has to fulfil obligations as the responsible party. In this way, the legislator wants to avoid a ping-pong of responsibilities in the event of violations of legal bases, at the end of which no one wants to be responsible for violations.
Art. 28 GDPR
regulates the basis of cooperation between the controller and the processor.
The core obligations of the controller are summarised:
- careful selection of the processor before the start of processing,
- Clean contractual safeguards in the form of an AV contract or other legally binding agreement in accordance with EU law,
- Review of the technical-organisational measures (TOM) of the processor,
- Checking compliance in particular with the provisions of Art. 32 DSGVO (security of processing)
- Control obligations and
- Documentation requirements
The basis for cooperation with third parties in the processing of personal data is usually a contract that legally binds both parties. The practice of the last few years shows that the contracts we have seen often have gaps and regulatory problems. This ultimately harms both sides, the processor and the controller.
In most cases, it was possible to achieve significant improvements during renegotiations in the course of audits.
Clear contracts alone are not sufficient to permanently fulfil the requirement of Art. 28 GDPR.
In particular, when using processors, the company is responsible for providing evidence that the processor meets its obligations. One option would be for the responsible party to obtain certification from the processor at regular intervals in accordance with Article 42 of the GDPR, although this is not yet possible.
Another option is to commission regular audits, including the preparation of an audit report, to provide evidence of control.
are based on the audit criteria of the Conference of Independent Data Protection Authorities of the Federation and the Länder (DSK) for certification according to Art. 42 of the GDPR and the standard data protection model of the DSK. Controllers can use the audit report to prove that they have fulfilled their control obligations, and processors can use an audit report to assist the controller in deciding whether to cooperate in the future.
Why commission an independent audit?
An independent audit guarantees that third parties not involved in the award process take their own look at the processing operations. Often, aspects that were previously overlooked become visible in the course of an audit process