§ 62 BDSG
Processing on behalf of a controller
(1)Where the controller entrusts a processor with a processing operation, it shall use only processors providing sufficient guarantees that appropriate technical and organisational measures are implemented in such a manner that processing will meet the requirements of this Part and the protection of the rights of the data subject is ensured.
(2)The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
(3)Processing by a processor shall be governed by a contract that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. That contract shall stipulate, in particular, that the processor 1 acts only on instructions from the controller; where the processor considers that an instruction infringes this Part or other data protection provisions, the processor shall immediately inform the controller,; 2 ensures that persons authorised to process the personal data have committed themselves to confidentiality,; 3 where possible assists the controller by appropriate technical and organisational measures, for the fulfilment of the obligation to respond to requests for exercising the data subject's rights laid down in Section 57,; 4 assists the controller in ensuring compliance with the obligations pursuant to Sections 64 to 67,; 5 after the end of the provision of processing services, at the choice of the controller, deletes or returns all the personal data to the controller and deletes existing copies, unless Union or national law requires storage of the personal data,; 6 makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Section and; 7 enables and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
(4)Where a processor determines the purposes and means of processing in violation of this Part, the processor shall be considered to be a controller in respect of that processing.
(5)The contract referred to in Subsection (3) shall be in writing or in electronic form.
(6)The controller and the processor shall take steps to ensure that the processor's representative, if one has been designated, is informed of all contracts concluded in accordance with this Section.
(7)Subsections (1) to (6) shall not apply to contracts between the controller and the processor which were concluded before 6 May 2016, provided that the processing is carried out in accordance with those contracts.