Home » Riscreen Compliance Blog » GDPR – Contract Processing – Part 5

GDPR – Contract Processing – Part 5

GDPR DSGVO

Table of Content

A guest article on the GDPR by:
Dr Oliver Hornung, Attorney at Law for IT & Digital Business and Partner of SKW Schwarz Rechtsanwälte

The following topics are covered in this series of contributions

  1. Objectives and principles.
  2. Rights of data subjects.
  3. Obligations for companies.
  4. International data transfers abroad.
  5. Technical and organisational data protection.
  6. Commissioned processing.
  7. Obligation to appoint a company data protection officer.
  8. New European data protection law also applies to website operators.
  9. Supervisory Authorities.
  10. Fines and Sanctions.
  11. Employee data protection.
  12. What do companies have to do?

Order processing

The requirements and specifications for agreements on commissioned processing essentially remain the same as those regulated in the BDSG. Nevertheless, some new regulations on commissioned processing must be observed in terms of content: First of all, it is pleasing that the strict German written form requirement is abolished with the GDPR and that commissioned processing can also be concluded electronically in the future. What is new is that the European Commission can publish standard contractual clauses for commissioned processing and that proof of the contractor’s guarantees can also be provided through certifications and approved codes of conduct.
Appointment of company data protection officers

According to the requirements of the GDPR, company data protection officers must be appointed in 3 cases:

  • Public bodies, if they process personal data, must always appoint a data protection officer. However, courts are exempt in the context of the relevant activity
  • Non-public bodies must appoint a data protection officer if their core activity, or that of the person processing data on behalf, consists in data processing
  • which, by virtue of its purpose or scope, requires the extensive, regular and systematic monitoring of data subjects, or
  • involves substantial processing of data which are particularly sensitive according to the requirements of the GDPR.

The GDPR contains an opening clause to the effect that the Member States may prescribe the appointment of a data protection officer in national law for further cases. Germany will make use of this, so that the current regulations in the Federal Data Protection Act on the company data protection officer will remain in place.

Hint: This text has been translated by an AI (German > English). Slight errors may occure.