[OnyxCeph³™ Wiki]

DokuWiki - World Wide Web

User Tools

Site Tools


en:nadv

FIXME This page was automatically translated German to English by Google Translator. Please help completing the translation.

Remote Maintenance vs. Order Data Processing


The remote maintenance of IT systems via remote access was, according to the previous BDSG, order data processing: According to Section 11 (5) BDSG (old), the testing or maintenance of automated processes led to a corresponding application of Section 11 (1) BDSG (old), if "access to personal data cannot be ruled out." Thus, regardless of whether personal data was actually processed by the service provider commissioned by the responsible body within the meaning of Section 3 (7) BDSG (old), a To conclude a contract for order data processing.

With the introduction of the GDPR, Section 11 (5) of the BDSG (old) no longer applies; the GDPR therefore no longer contains any regulation that treats the checking and maintenance of automated processes as order processing. According to the new legal situation, the conclusion of an order processing contract would no longer be necessary as long as personal data is not actually processed. The German legislator only makes exceptions to this for order processing of social data. According to the new version of Section 80 (5) SGB X new, it must be assumed that inspection and maintenance work should be qualified as order processing if the processor actually has access to personal data. Further exceptions may still be found in future state data protection laws (their compatibility with the higher-ranking GDPR is assumed here).

A compulsory order processing for testing and maintenance can generally not be justified. According to Art. 4 No. 7, Art. 28 GDPR, this need only exists if the inspection and maintenance service involves the targeted processing of personal data within the meaning of Art. 4 No. 7 GDPR. This would undoubtedly be the case with unavoidable access to databases with personal data for remote maintenance of a productive IT system. If, on the other hand, there is remote access without personal reference within the meaning of Art. 4 No. 1 GDPR, which would be the case, for example, with an analysis of technical log files or the inspection of hardware or software, mere testing and maintenance services would no longer be beneficial the order processing recorded.

This can be justified by the fact that "collecting" in the sense of Section 3 (3) BDSG (old) was previously interpreted as providing the opportunity for information. In the light of Art. 4 No. 2 GDPR, this is no longer compulsory: there is agreement that only the targeted provision of personal data fulfills the requirement of collection and recording. However, if a service provider only has the possibility of access to personal data, there is still no provision of the same until knowledge is obtained. Even if one wants to assume that knowledge has been obtained, there is at least no targeted provision of personal data as long as the service provider only becomes aware of this data when checking and maintaining it and does not process it further after it has become known. Only with such further processing of the data that has become known would one speak of processing within the meaning of Art. 4 No. 2 GDPR.

This denial of order processing in a typical case of remote maintenance has advantages for both parties: The contractor evades the obligation to provide evidence from Art. 28 Para. 3 lit. h) GDPR towards the client, joint and several liability does not apply, as does the obligation to conclude a contract that meets the requirements of Art. 28 Para. 3 GDPR. Both parties can limit themselves to the conclusion of a suitable non-disclosure agreement and only have to take the appropriate technical and organizational measures for the security of processing in their area of ​​responsibility in accordance with Art. 30 GDPR.

The Data Protection Conference (DSK) currently seems to see it differently in its short paper No. 13 (available as PDF here), but without giving any further reasons. Attention: Recommendations or advice from the DSK are neither binding nor necessarily unanimous. They give a possible view of the factual and legal situation and can be just as right or wrong as any other view. In particular, there is still no statement from the Art. 29 group on the classification of remote maintenance under Art. 28 GDPR or even a decision by the ECJ. It is therefore appropriate to be skeptical about the decisions of the DSK, which wants to save the old law in the new era.

Source: KREMER RECHTSANWÄLTE

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
en/nadv.txt · Last modified: 2020/09/29 16:14 by onyxadmin