§ 48 ThürDSG
Processing on behalf
(1)(Article 22 of Directive (EU) 2016/680)
(2)Where personal data are processed on behalf of a controller by other persons or bodies, the controller shall be responsible for ensuring compliance with the provisions of this Act and other data protection provisions. The rights of the data subject to access, rectification, erasure, restriction of processing and compensation for damages shall in such cases be asserted against the controller.
(3)A controller may only engage processors which provide sufficient guarantees, by way of appropriate technical and organisational measures, that the processing will be carried out in compliance with the legal requirements and that the protection of the rights of the data subjects will be ensured.
(4)Processors shall not engage another processor without prior written authorisation of the controller. Where the controller has given the processor general authorisation to engage further processors, the processor shall inform the controller of any intended addition or replacement of further processors. The controller may object to the addition or replacement in such a case.
(5)Where a processor engages another processor, it shall impose on that other processor the same obligations under its contract with the controller pursuant to paragraph 6 as those applicable to itself, insofar as those obligations are not already binding on the further processor by virtue of other provisions. Where a further processor fails to fulfil those obligations, the engaging processor shall be liable to the controller for the fulfilment of the obligations of the further processor.
(6)Compliance by a processor with approved codes of conduct pursuant to Article 40 of Regulation (EU) 2016/679 or an approved certification mechanism pursuant to Article 42 of Regulation (EU) 2016/679 may be used as an element to demonstrate sufficient guarantees within the meaning of paragraphs 2 and 4.
(7)Processing by a processor shall be governed by a contract or other legal instrument which is binding on the processor with regard to the controller and which sets out the subject matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the controller. The contract or other legal instrument shall stipulate, in particular, that the processor 1. shall act only on documented instructions from the controller; where the processor is of the opinion that an instruction is unlawful, it shall inform the controller without delay, 2. shall ensure that persons authorised to process the personal data are obligated to maintain confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality, 3. shall assist the controller by appropriate means in ensuring compliance with the provisions relating to the rights of the data subject, 4. shall, after the end of the provision of processing services, at the choice of the controller, return or erase all personal data and destroy existing copies, unless a legal provision requires the storage of the personal data, 5. shall make available to the controller all information necessary, in particular the logs generated pursuant to Section 51, to demonstrate compliance with its obligations, 6. shall allow for and contribute to audits carried out by the controller or another auditor mandated by the controller, 7. shall comply with the conditions referred to in paragraphs 3 and 4 for engaging the services of another processor, 8. shall take all measures required pursuant to Section 54, and 9. shall, taking into account the nature of the processing and the information available to it, assist the controller in complying with the obligations referred to in Sections 52 to 56.
(8)The contract or other legal instrument within the meaning of paragraph 6 shall be drawn up in writing or in an electronic format.
(9)A processor which, in breach of this provision, determines the purposes and means of the processing shall be regarded as a controller in respect of that processing. zur Einzelansicht § 48