What you always wanted to know about data protection


How to engage IT service providers in line with data protection requirements

It is rare nowadays for IT services to be operated in-house and with a company's own IT infrastructure in their own server room. The reality for hosting data and operating applications today is the involvement of service providers and the use of services in the cloud. This has many advantages, such as saving internal resources for maintenance and operation, and can also improve IT security with the right partners. However, there are requirements for data protection-compliant commissioning, monitoring and integration of service providers. Read here what you need to bear in mind.

Service provider classification

If you use service providers to process personal data, this can basically be in the form processing, transfer or joint controllership. In order to take the right measures, you should first be aware of the role of your service provider.

  • Processor: A processor is the most common case when you use third parties to process personal data. This is when a third party processes personal data on your behalf in accordance with your instructions, i.e. you determine how the processing is carried out. Classic use cases are the hosting of data and applications, but also the provision of SaaS or cloud software. We'll take a closer look at this case in a moment.
  • Transfer: A transfer of personal data occurs when you process personal data yourself and pass it on to a third party who determines how it is processed. For the involvement of service providers, a transfer is particularly relevant for the commissioning of consultants who act with their own expertise and decision-making freedom, such as lawyers, tax consultants or auditors. In this case, you must ensure that you have a justification for transferring personal data to these service providers. This special case is not discussed in detail here.
  • Joint controllership: If you and another controller jointly determine the purposes and circumstances of the processing, this constitutes joint controllership. A common case is the provision of your own content in a portal operated by a third party, such as the operation of a fan page on Facebook or activities in a network of companies in which, for example, a sales database is shared. If there is joint controllership, an agreement must be concluded in accordance with Art. 26 GDPR. This special case is not discussed in detail here.

Legal requirements

The requirements for the data protection-compliant involvement of a service provider as a processor are set out in Art. 28 GDPR. Careful selection of the service provider and monitoring of the technical and organisational measures, the conclusion of a processor agreement and regular monitoring of the service provider are important for this. If the service provider comes from a third country outside the EEA, there are additional requirements.

Careful selection of the service provider

The commissioning of processors is only permitted if the service provider is reliable because it offers sufficient guarantees that suitable technical and organisational measures are in place and that the processing complies with data protection regulations. In other words, the data processing must be carried out by the service provider just as carefully as by the controller itself. In practice, this check is carried out by monitoring the technical and organisational data protection concept.

This check must be carried out for the first time before a service provider is commissioned and must then be repeated regularly. The frequency and intensity of the check depends in particular on the sensitivity of the processed data. Annual checks of the concept for technical and organisational data protection are common. For less critical applications, this may mean requesting and checking the updated concept, while on-site checks may also be necessary for critical applications.

Technical and organisational measures (TOMs)

The technical and organisational data protection concept is the central document in which service providers document the measures they take to ensure compliance with data protection obligations and the protection of personal data. As the client, you should always look at this document and only commission a service provider if you are convinced that the documented measures are appropriate and will actually be implemented. The assessment is traditionally carried out by one or more of the following persons or departments.

  • Data protection officer
  • IT,
  • IT security
  • Information security

The content that a TOM concept should cover is set out in Art. 32 GDPR. These are in particular

  • Pseudonymisation and encryption of personal data,
  • Confidentiality, integrity, availability and resilience of systems and services,
  • the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident,
  • a process for regularly reviewing, assessing and evaluating the effectiveness of the technical and organisational measures.

Data processing agreement (DPA)

If the service provider appears to be diligent on the basis of the review of the technical and organisational data protection concept, it must be contractually obliged to comply with data protection law on the basis of Art. 28 GDPR. A processor contract must therefore be concluded to agree inter alia

  • that personal data will only be processed on the documented instructions of the controller,
  • which technical and organisational measures the service provider must take
  • that the controller may monitor the service provider,
  • which sub-service providers are involved and
  • the conditions to involve further sub-processors.

Service providers in third countries

In practice, it regularly happens that service providers in third countries outside the EEA are commissioned, such as AWS or Microsoft for hosting and application services. In this normal case in IT reality, there are additional challenges under data protection law. In addition to the requirements described above, the controller must then ensure that there are appropriate guarantees for the protection of the data concerned for processing in the third country. The standard contractual clauses of the EU Commission, binding corporate rules or adequacy decisions of the EU Commission are often used for this purpose. However, it may also be necessary to take further technical measures or carry out a data transfer impact assessment.


In a Nutshell: Legal Tech

The term “Legal Tech” is currently used for many things: In recent years, it has become an indispensable marketing buzzword in the presentations of many law firms and some start-ups. This article briefly explains what Legal Tech actually is, what it is not, and what role Legal Tech plays in a modern and innovative law firm like PLANIT//LEGAL.

Where does Legal Tech start?

Actually, any kind of technology, be it hardware or software, that makes life and work easier for legal practitioners (and their clients or customers) is in some way a form of Legal Tech. This means that both a fax machine and Microsoft Word are part of the broad definition of “Legal Tech”. In this sense, it has been impossible to imagine German law firms and courts without Legal Tech for decades.

Of course, when the average lawyer or computer scientist talks about “Legal Tech”, they do not mean a fax machine. The term has now become quite focused and probably only means highly specialised software products (possibly coupled with supporting services) that can solve certain legal tasks or problems better or faster than a human being. The magic word here, not least to attract venture capital, is scalability.

The development therefore continues: Legal Tech in the “narrower sense” only begins where users start thinking about technical innovation. In other words, Legal Tech starts where “we’ve always done it that way” ends.

Against the background that many start-ups specialise exclusively in Legal Tech products, however, the term refers not only to technologies, but to the culture that has formed around the creation and distribution of this technology. Legal Tech thus combines components from the legal,
IT and start-up spheres.

Where does Legal Tech stop?

The boundaries of Legal Tech are found in the broad field of artificial intelligence or “AI”. We are still some time away from “general artificial intelligence”, i.e. a general-purpose AI that comes
close to human intelligence.

However, it is already possible to train so-called “narrow purpose” AI with a correspondingly limited scope. Techniques such as machine learning and neural networks are used to train algorithms to deliver results “like a human”. But this requires very large amounts of data, very smart computer scientists and a lot of patience. Because “training” in this context also means that errors have to be constantly corrected and weeded out. Products that can recognise or assess certain contract clauses and are based on these technologies are already ready for the market today.

Therefore, Legal Tech offers that particularly advertise “AI” implementations should be treated with caution. These will mostly be either complex (but hard-coded) algorithms or highly experimental applications that are still in the “learning phase”.

In any case, Legal Tech will not be able to replace legal practitioners in the medium term – the focus must be on support services that pre-process or “pre-chew” data. For professional and liability concerns alone, the result will have to go back over a human’s desk.

What role does Legal Tech play at PLANIT//LEGAL?

Legal Tech plays a prominent role at PLANIT//LEGAL – this is already in the name and in our specialisation: in the consulting fields of IT and data protection, we deal with complex, technical matters on a daily basis. But our passion for technology also drives us internally: PLANIT//LEGAL creates its own Legal Tech (software) products and tools with several in-house programmers.

The flagship product is our privacy management platform PLANIT//PRIMA.
This innovative tool is used both in-house and by our clients, and even as a white-label solution, and supports companies and law firms of all sizes in setting up and maintaining a data protection management system quickly, legally securely and, above all, innovatively.

This blog article is an abridged version of our presentation at the Autumn Academy 2020 of the German Society for Law and Informatics, available here: