The Challenges of Subprocessing and Suggested Solutions under German and EU Privacy Law

In outsourcing agreements, one frequently encounters the requirement of obtaining prior consent when it comes to either using or exchanging subprocessors (i.e., third parties supporting the provider with regard to the fulfillment of its contractual obligations vis-à-vis the customer and without having a related contractual relationship with the customer). Such clauses are certainly not welcomed by providers, but, as a rule, they are also not the most difficult to negotiate in favor of customers. The reasons for customers claiming the right to control the use of subprocessors are manifold. Often confidentiality protection, control over intellectual property or regulatory and privacy reasons are at the root of customers imposing restrictions on subprocessing.

For cloud service providers, the situation is far more complex when it comes to using subprocessors. Although, from a phenomenological point of view, a cloud service provider bears a similarity to an outsourcing provider, there is — among many differences, which are not discussed here — often a more intense necessity to have quite some leeway regarding the use of subprocessors without having to ask for customer consent. The most obvious reason is that the standardized services are designed to be used by many customers around the globe and correspondingly in various different time zones (often advertisements use terms like “follow the sun” to describe the corresponding ubiquitous 24/7 support availability) in a homogeneous manner. Attaining this sort of permanence of service and support requires personnel in the corresponding time zones, which — quite obviously — entails the use of subprocessors. Maintaining permanent technological adaptation and improvement (often described as the “evergreen nature of cloud services”) is another reason triggering the need to use subprocessors.

This Focus article deals with German and EU privacy law requirements for using and exchanging subprocessors, and suggests possible elements of a subprocessing clause.

Requirements for Using Subprocessors

No Explicit Requirements in Germany’s Federal Data Protection Act (FDPA)

There are no explicit statutory requirements in the FDPA as regards the use of subprocessors or the drafting of subprocessing agreements. Section 11 FDPA merely deals with the requirements for data processing agreements with main data processors. Subprocessors are only mentioned in Section 11 (2) 2nd sentence no. 6 FDPA (and nowhere else in the FDPA), which requires that the data processing agreement deal with the “right of the data processor to use subprocessors”.

As a side remark, it should be noted that there are a number of general legal principles which could be used to establish requirements for subprocessing. It could, for example, be seen as a requirement for orderly management of a company (Section 43 Limited Liability Company Act and Section 93 Stock Corporation Act) that management makes sure not to lose control over the data for which it is responsible, regardless of the number of processors and subprocessors used. For the banking sector, Section 25a Banking Act together with the Circular “Minimum requirements for risk management” of the Federal Financial Supervisory Authority provide detailed guidance on criteria for outsourcing tasks to a provider and for the use of subprocessors (“The requirements for the outsourcing of activities and processes have to be respected also in case of a further outsourcing of outsourced activities and processes”; see AT9, no. 9 of the “Minimum requirements for risk management”, available, in German, at http://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Rundschreiben/rs_1210_marisk_ba.html).

Requirements Deduced from the FDPA

Despite the fact that Section 11 (2) 2nd sentence no. 6 FDPA only requires that the main data processing agreement deal with the right of the main data processor to use subprocessors, there are more requirements for the subprocessing agreement which can be deduced from Section 11 FDPA. The reason is that a subprocessor is only a processor, in other words, a party having to abide by instructions regarding the processing of personal data and for the actions of which the ultimate responsibility lies with the controller. In this light, the requirements for choosing a data processor according to Section 11 (2) 1st sentence FDPA, as well as the requirements for the main data processing agreement according to Section 11 (2) 2nd sentence nos. 1 – 10 FDPA, mutatis mutandis, also make sense for choosing a subprocessor (a process carried out under the main data processor’s responsibility, as opposed to the process of choosing the main data processor, which is the controller’s task) and for the subprocessing agreement.

Section 11 (2) FDPA contains the following wording (see http://www.bfdi.bund.de/EN/DataProtectionActs/Artikel/BDSG_idFv01092009.pdf?__blob=publicationFile):

(2) The processor shall be chosen carefully, with special attention to the suitability of the technical and organizational measures applied by the processor. The work to be carried out by the processor shall be specified in writing, including in particular the following:

1. the subject and duration of the work to be carried out,

2. the extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects,

3. the technical and organizational measures to be taken under Section 9,

4. the rectification, erasure and blocking of data,

5. the processor’s obligations under subsection 4, in particular monitoring,

6. any right to issue subcontracts,

7. the controller’s rights to monitor and the processor’s corresponding obligations to accept and cooperate,

8. violations by the processor or its employees of provisions to protect personal data or of the terms specified by the controller which are subject to the obligation to notify,

9. the extent of the controller’s authority to issue instructions to the processor,

10. the return of data storage media and the erasure of data recorded by the processor after the work has been carried out.

[…] The controller shall verify compliance with the technical and organizational measures taken by the processor before data processing begins and regularly thereafter. The result shall be documented.

Requirements for Exchanging Subprocessors

One of the still open questions is whether the main data processing agreement needs to contain a mechanism for how the main data processor can exchange and appoint new subprocessors. Section 11 (2) 2nd sentence no. 6 FDPA does not answer this question. Based on the concept that a controller must always know and have the power to influence where its personal data are and who has access to them, the German data protection authorities and the EU Article 29 Data Protection Working Party (hereinafter “WP 29”), an independent EU advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC (the Data Protection Directive), have taken the view that the controller has to receive notification prior to a new subprocessor being granted access and has the right to object or terminate the contract.

In its Working Paper 196 containing its “Opinion 05/2012 on Cloud Computing” (see http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp196_en.pdf) (see analysis by the author at WDPR, July 2012, page 8), the WP 29 puts this as follows (see p. 10 of Working Paper 196):

In the view of the WP 29, the processor can subcontract its activities only on the basis of the consent of the controller, which may be generally given at the beginning of the service with a clear duty for the processor to inform the controller of any intended changes concerning the addition or replacement of subcontractors with the controller retaining at all times the possibility to object to such changes or to terminate the contract. There should be a clear obligation of the cloud provider to name all the subcontractors commissioned. In addition, a contract should be signed between cloud provider and subcontractor reflecting the stipulations of the contract between cloud client and cloud provider. The controller should be able to avail of contractual recourse possibilities in case of breaches of contracts caused by the subprocessors. This could be arranged by ensuring that the processor is directly liable toward the controller for any breaches caused by any sub-processors he has enlisted, or through the creation of third party beneficiary right for the benefit of the controller in the contracts signed between the processor and the sub-processors or by the fact that those contracts will be signed on behalf of the data controller, making this later a party to the contract.

Suggested Elements of a Subprocessing Clause

Equivalence of Main Data Processing Agreement and Subprocessing Agreement

The simplest approach to making sure that the requirements contained in Section 11 FDPA are reflected in the subprocessing agreement and to keeping the controller in the “driver’s seat” (as opposed to granting the main data processor a “fire and forget” subprocessing right) is to enter into a data processing agreement with the main data processor that is in full compliance with Section 11 FDPA and requires the main data processor to impose the “same obligations on the subprocessor as provided for in the main data processing agreement” (such clause hereinafter referred to as the “Equivalence Clause”).

Although the Equivalence Clause is used quite frequently and covers a certain percentage of the obligations a subprocessor must follow, it is not a sufficient drafting guideline for a subprocessing agreement, for the following reasons:

1) The first gap is the instruction right. The main data processing agreement does not provide for an instruction right for the benefit of a non-party, as the controller is from the perspective of the subprocessing agreement entered into solely between the main data processor and the subprocessor.

2) The same applies to audit rights. Without the subprocessing agreement granting an audit right to the controller, the subprocessor could refuse to be audited by the controller. Moreover, the Equivalence Clause might lead to a large number and wide scope of audits at the subprocessor level, which might be justified at the main data processor level (given the fact that the main data processor owes 100 percent of a certain data processing service), but might be exaggerated from the perspective of a subprocessor in charge of only a fraction of the services.

3) The Equivalence Clause would not clearly require the main data processor to attribute only specific tasks to the subprocessor and oblige the subprocessor to implement the corresponding technical and organizational measures, because the corresponding legal requirements are contained in Sec. 11 FDPA and not in the main data processing agreement itself. A compliant main data processing agreement can rather be seen as the proof of the controller having respected the aforementioned legal requirements.

4) As regards the technical and organizational measures, the Equivalence Clause would be in contradiction with the principle that the level of technical and organizational measures is largely (beyond a certain level of standard security measures) determined by the tasks of the (sub)processor, and task adequacy of the technical and organizational measures is seen as the key selection criterion for processors and subprocessors. Moreover, blindly requiring the main data processor to accept the Equivalence Clause will impact on the main data processor’s pricing strategy, and thus on the price the controller would have to pay for the services.

Subprocessing Specifics

As a solution to the challenges mentioned above, the subprocessing clause in the main data processing agreement should not be limited to the Equivalence Clause, but should contain the following requirements for subprocessing agreements:

1) As a starting point, the Equivalence Clause should be used. It is also contained in Clause 11 (1) 2nd sentence of the Standard Contractual Clauses 2010/87/EU (“EU Model Contract”), which, like Section 11 FDPA, is based on Article 17 of Directive 95/46/EC:

Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses.

It should be noted that the requirements for subprocessing agreements contained in the EU Model Contract, for example, in Clauses 3 (3), 5 (j), etc. — and also because of the EU Model Contract’s adequacy effect — go beyond what Section 11 FDPA and Article 17 of Directive 95/46/EC require, and, therefore, do not appear in this list of subprocessing specifics.

2) In order to maintain control over the personal data processed by the subprocessor, the controller should reserve the right to give direct instructions to the subprocessor in exceptional circumstances and should require the main data processor to provide for such right in the subprocessing agreement. The right to give direct instructions should therefore be designed as an exception and subject to the controller coordinating with the main data processor, in order to avoid conflicts and the corresponding lack of clarity.

3) As for the instruction right, the controller should have the right to carry out audits at the subprocessor level in order to be able to bear the responsibility for the personal data processed by the chain of processors. This requirement also ensues from Clause 11 (1) 2nd sentence of the EU Model Contract, together with its Clause 5 f:

The data importer agrees and warrants: […] (f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; […]

The German data protection authorities require direct audit rights of the controller, also in cases of subprocessors used by a Safe Harbor-certified data processor. The main argument is that the scope of control must not be limited as a consequence of the main data processor using subprocessors.

However, it would not make sense (and it would be hard to negotiate) if the controller claimed exactly the same audit rights at a subprocessor level which the controller has vis-à-vis the main data processor. Such double audit impact would be problematic, because the subprocessor would then be subject to twice as many audit rights as the main data processor (i.e., the audit rights of the main data processor and the audit rights of the controller). Should several controllers decide to execute their audit rights simultaneously, this could even have a disruptive effect on the operations of the subprocessors. Consequently, direct audits of the controller should be designed as an exception limited in its total annual number and with the main data processor being entitled to bundle several controller audits, except in cases where an audit is claimed by a controller as a consequence of a concrete suspicion of irregularities at the subprocessor level.

4) The main data processor should be obliged to clearly specify for which tasks it uses subprocessors, and to have this accurately reflected in the subprocessing agreement. Without such accuracy, the controller would not be able to make efficient use of its exceptional instruction and audit rights (discussed above), and could not judge whether the subprocessor has implemented adequate (i.e., in line with the tasks assigned to the subprocessor) technical and organizational measures. Furthermore, German data protection authorities are reluctant to accept main data processors without any tasks. It is therefore advisable to limit the subprocessing in its scope in order to leave the main data processor in charge of significant portions of the processing.

5) The main data processor should be obliged to impose technical and organizational measures on the subprocessor which are sufficient in view of the concrete tasks which have been delegated to the subprocessor. For example, should the subprocessor only have the task to take phone calls from users, check their entitlement to use helpdesk services, answer basic questions about the services and refer remaining callers to the main data processor’s dedicated support staff, it would not make sense to insist on daily data backups, access limitations for the servers, etc.

6) With regard to exchanging or adding new subprocessors, the main data processor should be required to seek consent of the controller prior to granting a new subprocessor access to the controller’s data, it being noted, however, that German data protection authorities do not consistently require prior consent each time a new subprocessor is engaged if both the main data processor and the new subprocessor are located in the European Union/European Economic Area. Should the controller not be in agreement with a new subprocessor, it should either have the right to object to the new subprocessor or to terminate the main data processing agreement, it being noted that not executing such rights should be considered as the controller accepting the new subprocessor. The objection right is the least likely option, since it would lead to a fragmented landscape of subprocessors, and is thus hardly acceptable to a main data processor. Although this does not apply to the option of granting the controller a termination right, such right also has a negative (but unavoidable) impact on the main data processor. Whenever the main data processor would like to change the portfolio of subprocessors, the controllers could use this as a pretext for termination of the main data processing agreements, which might otherwise not have been possible. In order to avoid the situation where a controller uses a change in the subprocessor portfolio as a reason for termination of the main data processing agreement, one could think of additional requirements for a termination right, such as reasons connected with the new subprocessor (e.g., the new subprocessor being located in a politically unstable jurisdiction, or in a geographically uncertain area due to the high likelihood of earthquakes, for instance). Such additional limitations would change the (seen apart from the change in the subprocessor portfolio) unconditioned termination into a right of termination for cause. It is highly unlikely that the German data protection authorities would accept such additional requirements for the termination right (and several of these authorities have already rejected suggestions in that direction), since the additional requirements could be seen to be in conflict with the controller’s elementary right to control where the personal data are stored and who has access to them.

7) Another important aspect which should be addressed in the main data processing agreement is the question of whether it is only the main data processor that has the right to use subprocessors, or whether the subprocessor also has this right. In the subprocessor definition contained in Clause 1 d) of the EU Model Contract, this question seems to be answered, since (emphasis added) “ ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract”. Even though this definition seems to allow an endless chain of subprocessors, the wording of Clause 11 (1) 2nd sentence of the EU Model Contract always (i.e., regardless of which party engages the subprocessor) requires “the consent of the data exporter”. From the controller’s perspective and its obligation to maintain control over the personal data, it is preferable to limit the right to use subprocessors to the main data processor. Although the corresponding discussion has not yet come to an end, the Article 29 Working Party also seems to lean in that direction.

Conclusion and Outlook

With data protection authorities requiring that data controllers maintain absolute control over personal data throughout the chain of processors and subprocessors, the proper handling of subprocessing can become complex. Occasionally, it is seen as an alternative to subprocessing to have the subprocessors accede to the main data processing agreement. However, from a practical standpoint, accession-based solutions create some complexities (e.g., because of the large number of contracting parties) and limit flexibility (e.g., because future contract changes beyond a certain threshold of pre-agreed changes require the agreement of all parties).

For controllers and main data processors, it is advisable to accept that subprocessors are regarded as “normal” processors by the data protection authorities, and that — as a consequence — the chain of control between controllers and subprocessors must remain in effect. However, it is possible to provide for rule exception-based limitations of the controller’s subprocessor-facing rights as compared to the rights a controller would have vis-à-vis the main data processor. Such rule exception-based limitations might, for example, concern the controller’s instruction and audit rights vis-à-vis the subprocessor, as long as exceptional instruction and audit rights are maintained.

Prof. Dr. Michael Schmidl is a Partner with Baker & McKenzie, Munich, and a member of the World Data Protection Report Editorial Board. He may be contacted at michael.schmidl@bakermckenzie.com.