The Bavarian Data Protection Authority ("DPA") has recently published a number of position papers clarifying certain requirements under the GDPR.
- Data Processing Agreements can be concluded electronically. Parties must, of course, document the electronic conclusion of the agreement sufficiently and conclusively for their own purposes, and be able to evidence its conclusion in case of an audit by the DPA. Using a 'qualified electronic signature' to do so, although not mandatory, is only one way to fulfill these documentation obligations.
The GDPR requires that a data processing agreement must be in writing, which includes in electronic form (Art. 28 (9)). The DPA, considering German contract law confirmed that a qualified electronic signature is not mandatory for the data processing agreement to fulfil this requirement. Evidence of the conclusion of the data processing agreement can also be provided through a process of hand signing, scanning, and receiving a signed agreement in return. This means that the data processing agreement can be hand-signed by one party, scanned and emailed to the other party, printed and hand-signed by the other party, again scanned and emailed to the first party, provided that the related email correspondence is also documented and retained.
- Documents and documentation required under the GDPR can be drafted in English if the respective controller / processor belongs to an international group of companies and English is defined as the group-wide language. However, the German supervisory authorities may still request translations into German.
Nevertheless, controllers and processors located in Germany must provide documents in German if the documents are requested by the DPA. This is part of an official administrative proceeding in order to prove compliance with the GDPR (Arts 9 and 23 (1), (2)) of the Bavarian Administrative Proceeding Act). If documents are submitted in a foreign language, the DPA is required by law to request a German translation.
Further, documents which must be provided to data subjects must be drafted in a language which the data subjects understands, taking potential foreign-language data subjects also into account.
- The information obligations vis-à-vis the data subjects pursuant to Art. 12 (1) GDPR must be provided in local language
Article 12 GDPR requires a controller to take appropriate measures to provide any information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Privacy policies for online services and online shops must therefore be provided in the respective local language of the country which is targeted by the online service or online shop. Further, any data subject right requests must be handled in the local language.
- Information obligations over the telephone (Arts 13 and 14 GDPR)
Article 12 (1) GDPR requires controllers to take appropriate measures to provide the information referred to in Articles 13 and 14. Controllers need to find a balance between the GDPR information obligations, practical implementation, and avoidance of information overload of data subjects. Until the EU data protection authorities provide further guidance the Bavarian DPA recommends a layered approach.
The first layer of this approach should include the provision of important information, such as the identity of the controller, the details of the purposes of processing and a description of the data subject's rights. This information is not required if the data subject already has this information. For complete information, (qualified) reference must be made to a website or flyer (second layer).
This approach on telephone calls entails that the controller provides only certain key information during the call, such as identity of the controller, processing purposes, and the data subject rights. The company can then refer the data subject to a website or a leaflet for the full set of information. In situations where it can be assumed that the data subject already has the key information (e.g., the data subject calls a hair dresser to make an appointment), typically no information needs to be provided.
The full set of information provided on a website must also be tailored to the specific scenario. Typically, a 'one-size-fits-all' notice will not be sufficient for the various types of data subjects (employees, end-customers, business partners, website users, suppliers) who access the website.
- Tax consultants are not processors in the meaning of Art. 28 GDPR. A data processing agreement is not necessary.
According to Art. 28 (3) lit. a GDPR, a processor must process personal data only on documented instructions from the controller. However, tax advisors are self-employed, independent, subject to their own personal duty of confidentiality, and are bound by and responsible under the German Tax Advisory Act (Steuerberatungsgesetz) when advising clients. Therefore, based on the client contract and as is necessary for their advisory role, they are allowed to process personal data of customers and customers' employees pursuant to Art. 6 (1) lit. f GDPR.
Contributors: Michael Schmidl & Nina Ruecker