With the application of the GDPR the question how to qualify IT maintenance in terms of data protection arises. This aspect is of great relevance while any software contains personal data. E.g. Microsoft, Oracle and SAP process personal data of customers and employees. At the same time a reporting software, which only stores financial data of the controller, contains at least the name or the ID of the employees who are using the software for access management purposes.
1. Statement of German DPAs
The German DPAs issued a paper qualifying software and hardware maintenance as data processing on behalf of the controller.[1] Their argument is that during the service provision an access to personal data is generally possible. Insofar, Art. 4 (2) GDPR contains a broad definition, whereas any
“…use, disclosure by transmission, dissemination or otherwise making available…”
of personal data is qualified as processing. According to this interpretation, maintenance is a disclosure by transmission to the maintenance provider.
Where an access to personal data by the maintenance provider can be excluded, the German DPAs exceptionally do not qualify IT maintenance as data processing on behalf. E.g. if an external data centre does solely provide the infrastructure – like the building and the space for the server – this service is not regarded as processing.[2]
2. Consequences of the statement
The consequences of this interpretation are far reaching, because in that view any IT maintenance requires a legal basis.[3] This legal basis can be provided by data processing on behalf according to Art. 28 GDPR.
In connection with Art. 4 (8) GDPR, a data processor
“…means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
Therefore, any IT maintenance requires according to Art. 28 GDPR inter alia that
- a contract for data processing on behalf is formed,
- the service provider shall adhere to the instructions of the controller,
- the service provider implements adequate technical and organisational security measures,
- the service provider does not engage any another (sub-) processor without authorisation of the controller.
In addition, the requirements of GDPR for the data transfer outside the EU to a third country similarly apply.[4]
3. Legal background
The discussion how to qualify IT maintenance in terms of data processing has a long history in Germany. Eventually, a clause was included to the former German Data Protection Act (BDSG) that the provisions of data processing on behalf shall be applied by analogy for maintenance provider if
“an access to personal data may not be excluded.”[5]
The German DPAs are extending and shaping this interpretation according to GDPR. In contrast to the former interpretation the German DPAs are currently regarding the requirements of data processing as directly applicable.
4. Legal opinion
On the one hand, the interpretation of the German DPAs restricts the leeway to manoeuvre for the maintenance provider in practice in a far-reaching way. Generally, the risk for the data subject is lower in the maintenance scenario since a data access will solely happen in a maintenance case – e.g. if a bug in a software is found. Whereas in the outsourcing situation, which is the characteristic case for data processing on behalf, the complete customer data is being transferred to a service provider.
However, from a legal view, there is no other legal criteria available than the potential access by the service provider or the maintenance provider to personal data of the controller. That is underlined by both broad definitions of ´processing´ and ´data processing on behalf´ in GDPR.
5. Will the consistency mechanism apply?
Unless a national DPA of another member state comes to a different conclusion, the statement of the German DPA is the binding interpretation of the GDPR. In case of a different interpretation of another national DPA the consistency mechanism will apply, and the European Data Protection Board (EDPB) will be forced to provide a binding interpretation of the GDPR. Up to now WP29 – the predecessor of the EDPB – did not provide a clear statement whether IT maintenance is to be regarded as data procession on behalf.[6]
[1] DSK, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DSGVO, page 3; https://datenschutz-hamburg.de/assets/pdf/DSK_Kurzpapier_Nr_13_Auftragsverarbeitung.pdf
[2] DSK, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DSGVO, page 3, 4; https://datenschutz-hamburg.de/assets/pdf/DSK_Kurzpapier_Nr_13_Auftragsverarbeitung.pdf
[3] according to Art. 5 (1) (a) and Art. 6 (1) GDPR.
[4] according to Art. 45 ff. GDPR.
[5] Art. 11 (5) BDSG-alt; https://www.datenschutz-wiki.de/11_BDSG
[6] WP29, WP169, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010; http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf