§ 51 LDSG RP — Auftragsverarbeitung

Processing on Behalf

(1)Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall ensure compliance with the provisions of this Act and other data protection provisions. The rights of the data subjects to access, rectification, erasure, restriction of processing and compensation shall in this case be asserted vis-a-vis the controller.

(2)A controller may only engage processors which provide sufficient guarantees, by way of appropriate technical and organisational measures, that the processing will be carried out in compliance with legal requirements and that the protection of the rights of the data subjects will be ensured.

(3)Processors shall not engage another processor without prior written authorisation of the controller. Where the controller has given the processor general authorisation to engage further processors, the processor shall inform the controller of any intended addition or replacement of further processors. The controller may in such cases prohibit the addition or replacement.

(4)Where a processor engages another processor, it shall impose on the latter the same obligations from its contract with the controller pursuant to paragraph 5 that also apply to it, insofar as those obligations are not already binding on the further processor by virtue of other provisions. Where a further processor fails to fulfil those obligations, the processor engaging it shall be liable vis-a-vis the controller for the compliance of the further processor with those obligations.

(5)Processing by a processor shall be governed by a contract or other legal instrument that is binding on the processor with regard to the controller and that sets out the subject matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the controller. The contract or other legal instrument shall in particular provide that the processor 1. shall act only on documented instructions from the controller; where the processor considers that an instruction is unlawful, it shall inform the controller without delay; 2. shall ensure that persons authorised to process personal data are committed to confidentiality, unless they are subject to an appropriate statutory duty of secrecy; 3. shall assist the controller by appropriate means to ensure compliance with the provisions on the rights of the data subject; 4. shall, at the choice of the controller, return or erase all personal data after the end of the provision of processing services and destroy existing copies, unless a legal provision requires storage of the data; 5. shall make available to the controller all necessary information, in particular the logs created pursuant to Section 64, to demonstrate compliance with its obligations; 6. shall allow and contribute to audits carried out by the controller or another auditor mandated by the controller; 7. shall comply with the conditions set out in paragraphs 3 and 4 for engaging further processors; 8. shall take all measures required pursuant to Section 53; and 9. shall, taking into account the nature of the processing and the information available to it, support the controller in complying with the obligations set out in Sections 53 to 57.

(6)The contract within the meaning of paragraph 5 shall be drawn up in writing or in electronic form.

(7)A processor that determines the purposes and means of processing in violation of this provision shall be regarded as a controller in respect of that processing. zur Einzelansicht § 51