The State Office for Data Protection (LfD) of Lower Saxony has issued a Leaflet with FAQ on commissioned processing published.
Typical processing operations
The LfD generally considers the following activities as commissioned processing:
- Disposal (destruction, erasure) of data carriers containing personal data,
- Storage of personal data in the cloud,
- Advertising address processing in a letter store,
- Processing of customer data by a Call Center without any significant decision-making scope of their own, e.g. in the case of purely forwarding customers to the relevant department within the company or in the case of recording contact data or other information for forwarding to the relevant department;
- Data capture, data conversion or scanning of documents containing personal data,
- data processing work for the Payroll accounting or financial accounting by data centers,
- electronic invoicing,
- purely technical services, e.g. for evaluating and analyzing websites or sending newsletters;
- a service provider leads Maintenance on technical devices with the possibility of accessing personal data.
This is in line with the usual understanding of commissioned processing. However, it is disputed whether in the case of Maintenance with data access is commissioned processing; however, it is in line with the DSK, i.e., the coordinated stance of the German supervisory authorities (cf. Brief Paper No. 13), and as a rule also the expectations of the companies involved (and releases the service provider from the obligation to provide information to the persons affected on the part of the client).
On the other hand, there is no job processing in the case of
- Cleaning services (which does not mean that no provisions on the handling of personal data (and other confidential information) are required by contract),
- Forwarding serviceswho employ a subcontractor because the focus here is on professional services of a different nature (see the following section on the focus theory);
- Printing servicesIf the print shop prints prefabricated, addressed documents, this does not constitute order processing; if, on the other hand, the print shop is provided with a separate address file and only inserts this into the printing unit, this constitutes order processing;
- Tax consulting services.
Center of gravity theory
The LfD points out that an activity which in itself appears to be a processing operation does not exceptionally appear to be a processing operation if it is an “unintentional accessory” to a main service. This is consistent with the common and helpful view that commissioned processing occurs when a service consists primarily – and not only incidentally – of data processing on behalf of a third party, as the BayLDA in its FAQ on commissioned processing (which is why, for example, lawyers are typically not processors). It also means that services should not be too disaggregated in terms of data protection lawotherwise practically every service would be in part a commissioned processing, which would not be practicable. (Pro memoria: Conversely, there is disclosure between controllers in parts of every commissioned processing, because the processor processes contact details of the controller or its auxiliary persons as controller – this has an impact on information obligations, but also raises questions if a controller uses a processor outside the EEA and uses standard contractual clauses for this purpose). The LfD justifies this view by stating that commissioned processing must be “intended” by the controller (Recital 81: “a controller who wishes to entrust a processor with processing activities should only use processors that are…”).
However, this also has the consequence that the Data processing by the service provider is not privileged here, therefore requires its own legal basis. In this case, the legitimate interest within the meaning of Art. 6 (1) f DSGVO comes into question.
The LfD gives the following examples of this:
- “A florist or wine merchant receives for sending gifts of flowers or wine to third parties from its customer a list with address data of the recipients.” The legal basis in this case is legitimate interest.
- “With so-called “Triangular relationships”, as far as the relationship between online retailer, manufacturer and end customer is concerned. Example: The manufacturer of products receives for agreed with end customers Direct deliveries from the online merchant the address of the customer”. The legal basis here is the contract with the end customer.
The second example illustrates another practically important point: Not only the online retailer, i.e. the contractual partner of the end customer, relies on this contract, but also the manufacturer. This is correct, because Art. 6(1)(b) requires a contract with the data subject, but not a contract between “the controller” and the data subject, which is why not only the contracting party can invoke this contract:
Notes on shared responsibility
The FAQ contains the following paraphrase of joint responsibility to distinguish it from commissioned processing:
“I am a joint controller together with one or more other entity(ies) and may be a principal if I jointly decide with this/these entity(ies) on the purposes and means of the processing of the personal data in accordance with Article 26 of the GDPR. In this context, I have the same rights as the other controller(s). essential decision-making authority with regard to the concrete data processing. In addition, there is a Intentional and conscious cooperation between the other data controllers and me regarding the specific data processing. In this context, it is sufficient if the other data controllers and I make a significant and decision-relevant contribution to the data processing. Furthermore, the responsibility of the other parties involved and me does not have to be equivalent – involvement at different stages of processing and to varying degrees is possible, provided that the contributions remain relevant to the decision. It is not required that everyone have access to the personal data in question when there is shared responsibility.”