In business, it has long been standard practice for the processing of a company's personal data (company A as the controller) to be carried out by third parties (company B as the processor/provider). These are, for example, cloud services, file shredders, software and IT service providers, implementation of web campaigns with customer data, email services and much more.
The client remains responsible for its data and may only choose processors that offer sufficient guarantees that appropriate technical and organizational measures are implemented in accordance with the requirements of the GDPR.
This is done in accordance with Article 28 (3) GDPR via a contract for commissioned data processing, which must be concluded and contains compliance with essential points as described in Article 28 (3) GDPR. This contract in turn gives the client the privilege of having their data processed by a third-party company without further legal restrictions, whereby the third-party company is legally treated as an internal unit of the controller.
However, the client continues to be liable as the controller alongside the contractor for breaches of data protection. An exception only exists if he can prove that he is not responsible in any way for the circumstance that caused the damage (Article 82 (3) GDPR).
What happens after an order processing contract ends?
Have you thought about what happens to your data after an order is terminated? I hope so. A case that was decided by the Higher Regional Court of Dresden, judgment of 15.10.2024 - 4 U 422/24, is interesting in this regard. In this case, a customer sued the defendant as the controller for damages due to a breach of GDPR regulations that occurred at its processor. Although the claim was dismissed, the court did consider the defendant to have committed a breach that required it to pay damages and affirmed a claim for damages on the merits. What had happened?
In the course of a hacker attack, customer data of a processor's client was accessed and offered for sale on the darknet. It should be noted that the data was published on the darknet in 2022, but the contractual relationship had already ended at the end of 2019. In the course of the termination at the time, the processor confirmed to the controller that the data would be “deleted on the following day”. However, the fact that data from the contractual relationship was posted on the darknet more than 2 years later, in addition to other facts, gave rise to the strong suspicion that the data was not properly deleted by the processor after completion of the work.
What should you definitely consider?
As the responsible company, you must of course ensure that your personal data (outside of the GDPR, this also applies to important company data) is either properly deleted or returned once the order has been completed. This must also be assumed in the underlying order processing contract.
Article 32 (3) h) GDPR states that the contractor must
upon completion of the provision of the processing services, either erase or return all personal data at the choice of the controller and erase the existing copies, unless there is an obligation to retain the personal data under Union or Member State law.
Unfortunately, we find from time to time that the issue of erasure is not always transparent with some processors and that the company responsible has not always given this enough thought. The matter can be further complicated by the fact that various sub-processors are also involved in the process, which, contrary to the GDPR, are not notified or are only notified upon special request.
In such cases, caution is required, as it is the responsibility of the client as the controller to select a reputable provider who is also able to delete all of their data, regardless of where it is located, in compliance with the GDPR.
Can you rely on the provider to delete your data?
First of all, the GDPR states that data must be returned or deleted at the controller's discretion. This means that the controller must discuss this with the service provider and, if necessary, reach an agreement. If possible, the parties should reach such an agreement in advance on the specific return or deletion of the data, including specific deadlines. At the very least, however, a corresponding clause on erasure, as described in Article 32(3)(h) GDPR, will have been included in the data processing agreement.
Doing nothing at all is not an option and, in addition to the controller's liability towards the data subjects, could result in a substantial fine if the processor still has data that it should no longer have due to the termination of the contractual relationship. The issue of erasure becomes relevant again at the latest when the contract ends.
Is this sufficient or do I also need to have the deletion confirmed?
If data is deleted, the controller has monitoring and verification obligations and must at least obtain clear confirmation that the personal data has been deleted in accordance with the GDPR.
The guidelines of the European Data Protection Board (EDPB) 07/20202 of 07.07.2021 state this: The processor should confirm to the controller that the erasure has been completed within the agreed period and in the agreed manner.
In the present case of the Higher Regional Court of Dresden, the processor merely stated that the data would be deleted on the following day, which the court rightly did not consider sufficient. The client should have requested that the data processor actually delete the data provided to it and issue a meaningful certificate to this effect. Consequently, the client could not exempt itself from liability either, as an exception only exists if it proves that it is not responsible in any way for the circumstance that caused the damage (Article 82 (3) GDPR). It was not possible to rule out the client's responsibility, as it could well have been the case that the data would not have been deleted in time before the hacker attack if a meaningful confirmation had been requested.
What does this mean?
The topic of deleting and, if necessary, returning personal data is a sensitive one. No company should expose itself to the risk that sensitive data of your employees or your customers may still be available to the contractor years after an order has been placed and may also be exposed to security risks, e.g. from hackers and criminals.
Include this topic in the discussions about the award of an order processing contract. Obtain timely and clear confirmation of the deletion, when and with which GDPR-compliant deletion method the data from the terminated contractual relationship was deleted.