§ 45 NDSG
Processing on behalf of the controller
(1)1Where personal data are processed on behalf of a controller, the controller shall remain responsible for compliance with the provisions of this Part and other data protection provisions. 2The rights of data subjects to access, rectification, erasure, restriction of processing and compensation shall be asserted against the controller. 3A processor that determines the purposes and means of the processing in breach of this provision shall be deemed to be a controller in respect of that processing.
(2)For the selection of processors by the controller, Article 28(1) of the General Data Protection Regulation shall apply mutatis mutandis.
(3)1Processing by a processor shall be carried out on the basis of a contract or other legal instrument as referred to in Article 28(3) sentence 1 of the General Data Protection Regulation. 2The contract or other legal instrument shall provide in particular that the processor
(4)acts only on documented instructions from the controller,
(5)ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality,
(6)assists the controller by appropriate means in ensuring compliance with the provisions on the rights of data subjects,
(7)returns all personal data to the controller or deletes them on completion of the provision of processing services, at the choice of the controller, and destroys existing copies, unless a legal provision requires retention of the data,
(8)makes available to the controller all information necessary, including the logs created pursuant to § 35(2) to (5), to demonstrate compliance with its obligations,
(9)allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller,
(10)complies with the conditions referred to in paragraph 4 for engaging the services of another processor,
(11)takes all measures required pursuant to § 35(1), and
(12)assists the controller, taking into account the nature of the processing and the information available to the processor, in ensuring compliance with the obligations referred to in §§ 25 to 28, 32, 34 to 42, 45(6) and § 57(4).
(13)The contract or other legal instrument within the meaning of paragraph 3 shall be in written or electronic form.
(14)1Where a processor engages another processor, it shall impose on the other processor the same obligations from its contract or other legal instrument with the controller pursuant to paragraph 3 that apply to it, insofar as those obligations are not already binding on the other processor by virtue of other provisions. 2Where an additional processor fails to fulfil those obligations, the processor that engaged the additional processor shall be liable to the controller for the fulfilment of the obligations of the additional processor. 3For the prior written authorisation by the controller of the engagement of another processor, Article 28(2) of the General Data Protection Regulation shall apply mutatis mutandis.
(15)1Where the processor becomes aware of a personal data breach, it shall notify the controller without undue delay. 2Where the processor is of the opinion that an instruction is unlawful, it shall inform the controller without undue delay.
(16)1The processor shall maintain records of all categories of processing activities carried out on behalf of the controller in accordance with Article 30(2) of the General Data Protection Regulation applied mutatis mutandis. 2Article 30(3) and (4) of the General Data Protection Regulation shall apply mutatis mutandis.
(17)In other respects, the processor shall comply with the obligations arising from §§ 34 to 37, 40, 45(6) and § 57(4) or assist the controller in complying with its obligations referred to in paragraph 3 sentence 2 number 9.