§ 52 DSG NRW
Processing of personal data on behalf
(1)In the case of the processing of personal data on behalf, Article 28(1) to (4), (9) and (10), as well as Article 29 of Regulation (EU) 2016/679 shall apply accordingly. Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall be responsible for ensuring compliance with the provisions of this Act and other provisions on data protection. The rights of data subjects to access, rectification, erasure, restriction of processing and compensation for damages shall in this case be asserted against the controller.
(2)Article 28(1) to (4), (9) and (10), as well as Article 29 of Regulation (EU) 2016/679 shall also apply accordingly where the inspection or maintenance of automated procedures or data processing systems is carried out on behalf by other persons or bodies. These persons must have the necessary professional qualifications and reliability. The client shall ensure, before the commencement of work, that the contractor can only have access to personal data insofar as this is unavoidable. This shall also apply to access to data subject to professional or special official secrets. The contractor shall erase personal data attributable to the client without delay after completion of the assignment. The documentation of the measure shall be retained for the purpose of data protection supervision for three years.