§ 38 LDSG SH — Auftragsverarbeitung

Processing on behalf of the controller

(1)Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall be responsible for compliance with the provisions of this Act and other data protection provisions. The rights of data subjects to access, rectification, erasure, restriction of processing and compensation shall in this case be asserted against the controller.

(2)A controller shall engage only processors which provide sufficient guarantees by way of appropriate technical and organisational measures that the processing is carried out in compliance with the statutory requirements and that the protection of the rights of data subjects is ensured.

(3)Processors shall not engage another processor without prior written authorisation of the controller. Where the controller has given the processor a general authorisation to engage other processors, the processor shall inform the controller of any intended addition or replacement. The controller may in that case object to the addition or replacement.

(4)Where a processor engages another processor, it shall impose on the other processor the same obligations from its contract with the controller pursuant to paragraph 5 that apply to it, insofar as those obligations are not already binding on the other processor by virtue of other provisions. Where an additional processor fails to fulfil those obligations, the processor that engaged the additional processor shall be liable to the controller for the fulfilment of the obligations of the additional processor.

(5)Processing by a processor shall be carried out on the basis of a contract or other legal instrument which is binding on the processor with regard to the controller and which sets out the subject matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects, and the rights and obligations of the controller. The contract or other legal instrument shall provide in particular that the processor 1. acts only on documented instructions from the controller; where the processor is of the opinion that an instruction is unlawful, it shall inform the controller without undue delay; 2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 3. assists the controller by appropriate means in ensuring compliance with the provisions on the rights of data subjects; 4. returns all personal data to the controller or deletes them on completion of the provision of processing services, at the choice of the controller, and destroys existing copies, unless a legal provision requires retention of the data; 5. makes available to the controller all information necessary, including the logs created pursuant to § 52, to demonstrate compliance with its obligations; 6. allows for and contributes to audits, including inspections, conducted by the controller or an auditor mandated by the controller; 7. complies with the conditions referred to in paragraphs 3 and 4 for engaging the services of another processor; 8. takes all measures required pursuant to § 40; and 9. assists the controller, taking into account the nature of the processing and the information available to the processor, in ensuring compliance with the obligations referred to in §§ 40 to 43 and § 45.

(6)The contract within the meaning of paragraph 5 shall be in written or electronic form.

(7)A processor that determines the purposes and means of the processing in breach of this provision shall be deemed to be a controller in respect of that processing. zur Einzelansicht § 38