Numerous web hosts and people who HostingServices have not yet come to terms with the legislation. Once a web hosting service is used, it may be necessary to make a written agreement. This is especially true if the requirements of § 11 BDSG are met. The statutory provision states that when outsourcing the processing of personal data, certain content must be agreed and recorded in writing. We clarify the content of the agreement and possible consequences of non-compliance.
§ 11 BDSG - Web hosting partly only possible with written agreement
Web hosting is now offered by numerous service providers. Often just a few clicks are enough to upload a WordPress blog, a website or an online store. Most web hosts are not aware that webhosting requires a written agreement with the user if personal information is processed during the assignment. This is prescribed by § 11 BDSG (Federal Data Protection Act). During webhosting, a user receives space from a provider on a web server. The scope of services ranges from the simple provision of resources to versatile services such as data backup, monitoring and statistical evaluations. If the offers made are related to the storage and processing of personal data, written agreements must be made. This applies in particular if an order data processing exists. Such is understood to mean the outsourcing of data processing processes. The web host always remains bound to the ordering party, ie he has no decision or evaluation latitude with regard to the transmitted data.
The content of § 11 BDSG (Federal Data Protection Act)
§ 11 I BDSG states that the client is responsible for compliance with the provisions of the BDSG. Among other things, this must ensure that the web host complies with the BDSG when processing personal data. If damage occurs, it must be borne by the client. The costs can be recovered by the web host via damages. § 11 II BDSG states that the contractor (the web host) must carefully select all measures at technical and organizational level. It then goes on to state that the law requires that the contract be issued exclusively by written procedure. The following points should be stated in the contract:
- Subject and duration of the order
- Scope, purpose and method of collection, processing and use of personal data
- Type of data and circle of those affected
- The organizational and technical measures to be taken according to § 9 BDSG
- measures to block, delete and correct the data
- The obligations of the contractor, for example checks (defined in § 11 IV BDSG)
- Any permissions to employ subcontractors
- Holding the control rights of the client
- Tolerance and cooperation obligations of the contractor
- Notification obligations of the contractor and its subcontractors in the event of a breach of protective regulations regarding
- Scope of authority of the client towards the contractor (web host)
- The deletion of data after completion of the order and the return of left data carriers
For public bodies, an agreement can be reached with the specialist supervisory authority. The latter has to inform itself about the outsourcing of the data processing about the technical and organizational standards and to control these regularly. The results are to be logged. § 11 BDSG states that the contractor, ie the web host, has to inform the client immediately as soon as his instructions infringe data protection laws. For people who use the services of webhosters, the question of guilt arises. After all, it is quite typical in order data processing that the obligation to comply with the legal requirements remains with the user and not with the web host, although the latter handles the processing of personal data. The duty of care occurs even before the order is placed: Users are obliged to convince themselves of the technical qualities of their future webhoster. These due diligence obligations also exist during the assignment. The most important requirement is that the order for data processing should be issued in writing. A written agreement requires that web hosts and users put their signatures under the contract. The transmission of an online form or an order by e-mail are not sufficient. In addition, the agreement must contain the above points (ten prerequisites) for the agreement to comply with the requirements of § 11 BDSG.
The BDSG in connection to webhosting
Whether the webhosting order data processing according to § 11 BDSG is present and a written agreement is actually required, is assessed differently. Some lawyers argue that order data processing is always present when space and computing power of a stranger are claimed. Accordingly, webhosting always involves order data processing. The rationale is that physical control over data creates significant leverage on data processing. In this view, order data processing is always given when the data processing systems can be acted upon. This is all the more true when the web host is responsible for monitoring and maintenance tasks. Other legal scholars assume that order data processing is not yet available in these cases. If customers claim storage space at a web host, they only rent third-party data processing systems. The user decides which programs are installed and which personal data is stored. The second view does not accept order data processing until the web host makes backups and stores them. The data protection supervisory authorities in Germany accept an order data processing when an online shop is hosted. Finally, personal data is stored at every online store.
European regulations for order data processing
As has already been explained, a written agreement for web hosting is always necessary if there is order data processing on the part of the web host. The Data Protection Directive (RL 95 / 46 / EC) collects a group known as the 'processor'. The independent advisory body of the European Union, "Article 29 Working Party", commented on the role of web hosting: "Web hosts are processors of personal data published by their customers on the Internet". For web hosts it is of enormous importance if their services are considered as order processing. The far-reaching consequences of a violation may include criminal and civil consequences. In the case of order data processing, web hosts should grant their customers access to their data centers so that they can get an idea of the organizational and technical measures. Therefore, it is hardly surprising that most web hosts do not consider themselves to be contract data processors within the meaning of § 11 BDSG. Violations of the BDSG can be fined by the data protection supervisory authority in accordance with § 43 I No. 2b in conjunction with § 43 III BDSG with a fine of up to 50.000 Euro. The question of whether web hosting is an order data processing, can not currently be clarified to 100 percent. Since various opinions exist in the literature, but the case law has not yet passed any relevant judgments, the conclusion of webhosting services in the potential field of contract data processing is currently a legal gray area. Since shop operators who have their online shop hosted by web hosts tend to be affected by order data processing, they should observe the legal developments permanently. Web publishers who want to be on the safe side should get sample contracts for order data processing, so that they can show anything in case of doubt. Customers should contact their web host in case of uncertainty and seek advice in individual cases.