§ 48 BlnDSG — Auftragsverarbeitung

Processing on Behalf of the Controller

(1)Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall be responsible for compliance with the provisions of this Act and other data protection provisions. The rights of data subjects to access, rectification, erasure, restriction of processing and damages shall in this case be asserted against the controller.

(2)A controller may only commission processors that provide sufficient guarantees, by means of suitable technical and organisational measures, that the processing will be carried out in accordance with the legal requirements and the protection of the rights of the data subjects will be ensured.

(3)Processors shall not engage another processor without prior written authorisation of the controller. Where the controller has granted the processor a general authorisation for the engagement of further processors, the processor shall inform the controller of any intended engagement or replacement. The controller may in this case prohibit the engagement or replacement.

(4)Where a processor engages another processor, it shall impose on the latter the same obligations from its contract with the controller pursuant to paragraph 5 as apply to it, insofar as those obligations are not already binding on the further processor on the basis of other provisions. Where a further processor fails to fulfil those obligations, the processor that engaged it shall be liable to the controller for compliance with the obligations of the further processor.

(5)Processing by a processor shall take place on the basis of a contract or other legal instrument that is binding on the processor vis-a-vis the controller and that sets out the subject matter, the duration, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the controller. The contract or other legal instrument shall in particular provide that the processor 1. acts only on documented instructions from the controller; where the processor is of the opinion that an instruction infringes the law, the processor shall inform the controller without undue delay; 2. ensures that persons authorised to process the personal data have committed themselves to confidentiality, unless they are subject to an appropriate statutory duty of confidentiality; 3. assists the controller by appropriate means in ensuring compliance with the provisions on the rights of data subjects; 4. at the choice of the controller, returns or erases all personal data after the end of the provision of processing services and destroys existing copies, unless a legal provision requires the retention of the data; 5. makes available to the controller all information necessary to demonstrate compliance with its obligations, in particular the logs created pursuant to Section 62; 6. allows and contributes to audits carried out by the controller or by an auditor mandated by the controller; 7. observes the conditions set out in paragraphs 3 and 4 for engaging the services of a further processor; 8. takes all measures required pursuant to Section 50; and 9. assists the controller, taking into account the nature of the processing and the information available to it, in complying with the obligations referred to in Sections 50 to 53 and 55.

(6)The contract within the meaning of paragraph 5 shall be drawn up in writing or in electronic form.

(7)Paragraphs 1 to 6 shall apply accordingly where the maintenance of automated procedures is carried out by third parties on commission and access to personal data cannot be excluded.

(8)A processor that determines the purposes and means of processing in breach of this provision shall be deemed to be a controller with respect to that processing. zur Einzelansicht § 48