§ 57 HDSIG
Processing on Behalf
(1)Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall ensure compliance with the provisions of this Act and other data protection provisions. The rights of the data subjects to access, rectification, erasure, restriction of processing and compensation shall, in this case, be exercised against the controller.
(2)A controller may only engage processors with the processing of personal data who provide sufficient guarantees, by way of appropriate technical and organisational measures, that the processing will be carried out in compliance with the legal requirements and that the protection of the rights of the data subjects is ensured.
(3)Processors may not engage another processor without the prior written authorisation of the controller. Where the controller has granted the processor a general authorisation to engage further processors, the processor shall inform the controller of any intended addition or replacement of a further processor. The controller may in this case prohibit the addition or replacement.
(4)Where a processor engages another processor, it shall impose on that other processor, by way of a contract, the same obligations arising from its contract with the controller under para. 5 as apply to it, insofar as those obligations are not already binding on the other processor under other provisions. Where the other processor fails to fulfil those obligations, the initial processor shall be liable to the controller for the performance of the obligations of the other processor.
(5)Processing by a processor shall be governed by a contract or other legal instrument that is binding on the processor with regard to the controller and that sets out the subject-matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the controller. The contract or other legal instrument shall stipulate in particular that the processor 1. shall act only on documented instructions from the controller; where the processor is of the opinion that an instruction is unlawful, it shall inform the controller without undue delay; 2. shall ensure that persons authorised to process the personal data are committed to confidentiality, unless they are subject to an appropriate statutory obligation of secrecy; 3. shall assist the controller by appropriate means in ensuring compliance with the provisions on the rights of the data subject; 4. shall, at the choice of the controller, return or erase all personal data after the end of the provision of processing services and destroy existing copies, unless a legal provision requires the storage of the data; 5. shall make available to the controller all necessary information, in particular the logs created pursuant to § 71, to demonstrate compliance with its obligations; 6. shall allow for and contribute to audits carried out by the controller or an auditor mandated by the controller; 7. shall comply with the conditions referred to in para. 3 and 4 for engaging the services of another processor; 8. shall implement all measures required by § 59; and 9. shall, taking into account the nature of the processing and the information available to it, assist the controller in ensuring compliance with the obligations referred to in §§ 59 to 62 and 64.
(6)The contract within the meaning of para. 5 shall be in writing or in electronic form.
(7)A processor who determines the purposes and means of processing in breach of this provision shall be considered to be a controller with regard to that processing. zur Einzelansicht § 57