How to engage IT service providers in line with data protection requirements


It is rare nowadays for IT services to be operated in-house and with a company's own IT infrastructure in their own server room. The reality for hosting data and operating applications today is the involvement of service providers and the use of services in the cloud. This has many advantages, such as saving internal resources for maintenance and operation, and can also improve IT security with the right partners. However, there are requirements for data protection-compliant commissioning, monitoring and integration of service providers. Read here what you need to bear in mind.

Service provider classification

If you use service providers to process personal data, this can basically be in the form processing, transfer or joint controllership. In order to take the right measures, you should first be aware of the role of your service provider.

  • Processor: A processor is the most common case when you use third parties to process personal data. This is when a third party processes personal data on your behalf in accordance with your instructions, i.e. you determine how the processing is carried out. Classic use cases are the hosting of data and applications, but also the provision of SaaS or cloud software. We'll take a closer look at this case in a moment.
  • Transfer: A transfer of personal data occurs when you process personal data yourself and pass it on to a third party who determines how it is processed. For the involvement of service providers, a transfer is particularly relevant for the commissioning of consultants who act with their own expertise and decision-making freedom, such as lawyers, tax consultants or auditors. In this case, you must ensure that you have a justification for transferring personal data to these service providers. This special case is not discussed in detail here.
  • Joint controllership: If you and another controller jointly determine the purposes and circumstances of the processing, this constitutes joint controllership. A common case is the provision of your own content in a portal operated by a third party, such as the operation of a fan page on Facebook or activities in a network of companies in which, for example, a sales database is shared. If there is joint controllership, an agreement must be concluded in accordance with Art. 26 GDPR. This special case is not discussed in detail here.

Legal requirements

The requirements for the data protection-compliant involvement of a service provider as a processor are set out in Art. 28 GDPR. Careful selection of the service provider and monitoring of the technical and organisational measures, the conclusion of a processor agreement and regular monitoring of the service provider are important for this. If the service provider comes from a third country outside the EEA, there are additional requirements.

Careful selection of the service provider

The commissioning of processors is only permitted if the service provider is reliable because it offers sufficient guarantees that suitable technical and organisational measures are in place and that the processing complies with data protection regulations. In other words, the data processing must be carried out by the service provider just as carefully as by the controller itself. In practice, this check is carried out by monitoring the technical and organisational data protection concept.

This check must be carried out for the first time before a service provider is commissioned and must then be repeated regularly. The frequency and intensity of the check depends in particular on the sensitivity of the processed data. Annual checks of the concept for technical and organisational data protection are common. For less critical applications, this may mean requesting and checking the updated concept, while on-site checks may also be necessary for critical applications.

Technical and organisational measures (TOMs)

The technical and organisational data protection concept is the central document in which service providers document the measures they take to ensure compliance with data protection obligations and the protection of personal data. As the client, you should always look at this document and only commission a service provider if you are convinced that the documented measures are appropriate and will actually be implemented. The assessment is traditionally carried out by one or more of the following persons or departments.

  • Data protection officer
  • IT,
  • IT security
  • Information security

The content that a TOM concept should cover is set out in Art. 32 GDPR. These are in particular

  • Pseudonymisation and encryption of personal data,
  • Confidentiality, integrity, availability and resilience of systems and services,
  • the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident,
  • a process for regularly reviewing, assessing and evaluating the effectiveness of the technical and organisational measures.

Data processing agreement (DPA)

If the service provider appears to be diligent on the basis of the review of the technical and organisational data protection concept, it must be contractually obliged to comply with data protection law on the basis of Art. 28 GDPR. A processor contract must therefore be concluded to agree inter alia

  • that personal data will only be processed on the documented instructions of the controller,
  • which technical and organisational measures the service provider must take
  • that the controller may monitor the service provider,
  • which sub-service providers are involved and
  • the conditions to involve further sub-processors.

Service providers in third countries

In practice, it regularly happens that service providers in third countries outside the EEA are commissioned, such as AWS or Microsoft for hosting and application services. In this normal case in IT reality, there are additional challenges under data protection law. In addition to the requirements described above, the controller must then ensure that there are appropriate guarantees for the protection of the data concerned for processing in the third country. The standard contractual clauses of the EU Commission, binding corporate rules or adequacy decisions of the EU Commission are often used for this purpose. However, it may also be necessary to take further technical measures or carry out a data transfer impact assessment.