What applies to providers and subcontractors with regard to obligations to report breaches of data security?
Obligations to report breaches of data security (link) that are likely to entail a high risk for the personal or basic rights of the affected person don’t just apply to the responsible entity or you as a company. If you work together with third-party companies (providers), such as an IT provider that renders services for your company and processes personal data, then such data breaches must also be reported by these companies. Even if the breaches do not entail any consequences. For this reason, we recommend referring to reporting obligations in your contracts with third-party companies and defining a process for this purpose.
What should you govern in the contract?
There are no legal provisions regarding what should be governed in contracts with subcontractors when it comes to data security. However, we recommend including the following:
- The reporting obligation for all breaches of data protection
- The reporting process and responsible persons of both parties
- The way in which data security is to be guaranteed
What else do I need to bear in mind?
If other companies process personal data on your instruction, this must also be documented in your privacy policy. So don’t forget to keep it up to date.