Many web hosters and people who use hosting services have not yet dealt with the legal regulations in detail. As soon as the services of a web host are used, it may be necessary to make a written agreement. This is especially true if the requirements of § 11 BDSG are met. The legal regulation states that when outsourcing the processing of personal data, certain contents must be agreed and recorded in writing. We will inform you about the contents of the agreement and possible consequences of non-compliance.
§ 11 BDSG - Web hosting partly only possible with written agreement
Web hosting is now offered by numerous service providers. Often just a few clicks are enough to WordPress-blog, a website or an online shop. Most web hosts are not aware that a written agreement must be made with the user if personal data is processed during the order. This is required by § 11 BDSG (Federal Data Protection Act). With web hosting, a user is provided with storage space on a web server by a provider. The scope of services ranges from the simple provision of resources to versatile services such as data backup, monitoring and statistical evaluations. If the services provided involve the storage and processing of personal data, written agreements must be made. This applies in particular if commissioned data processing is involved. This is understood to mean the outsourcing of data processing procedures. The web host is always bound by instructions to the client, i.e. he has no decision-making or evaluation leeway with regard to the transmitted data.
The content of § 11 BDSG (Federal Data Protection Act)
§ Section 11 I BDSG states that the client is responsible for compliance with the provisions of the BDSG. Among other things, the client must ensure that the web host complies with the BDSG when processing personal data. If damage occurs, this must be borne by the client. The costs can be recovered from the web hoster by way of compensation. § Section 11 II BDSG states that the contractor (the web hoster) must carefully select all measures on a technical and organisational level. Subsequently, it is stated that it is mandatory by law that the order is to be placed exclusively in writing. In the Contract the following points should be noted:
- Subject and duration of the contract
- Scope, purpose and nature of the collection, processing and use of personal data
- Nature of the data and circle of data subjects
- The organisational and technical measures to be taken in accordance with § 9 BDSG
- Measures for blocking, erasure and rectification of data
- The contractor's obligations, for example inspections (defined in § 11 IV BDSG)
- Any authorisations to employ subcontractors
- Detention of the control rights of the client
- Contractor's obligations to tolerate and cooperate
- Notification obligations of the contractor and its subcontractors in the event of a breach of protective regulations with regard to
- Scope of the customer's authority to issue instructions to the contractor (web host)
- The deletion of data after completion of the order and the return of data carriers provided
In the case of public bodies, an agreement can be reached with the technical supervisory authority. Before outsourcing data processing, this authority must inform itself about the technical and organisational standards and check these regularly. The results must be recorded. § Section 11 of the Federal Data Protection Act states that the contractor, i.e. the web host, must inform the customer immediately as soon as the customer's instructions violate data protection laws in his opinion. The question of guilt arises for persons who use the services of webhosters. After all, it is characteristic of commissioned data processing that the obligation to comply with the statutory provisions continues to rest with the user and not with the web host, even though the web host carries out the processing of personal data. The duty of care already occurs before the order is placed: Users are obliged to convince themselves of the technical qualities of their future web hoster. This duty of care also applies during the contractual relationship. The most important requirement is still that the order for data processing must be placed in writing. A written agreement presupposes that the web hoster and user sign the contract. The submission of an online form or an order by e-mail is not sufficient. Furthermore, the agreement must contain the above-mentioned points (ten requirements) in order for the agreement to meet the requirements of Section 11 of the Federal Data Protection Act.
The BDSG in connection with web hosting
Whether web hosting involves commissioned data processing in accordance with § 11 BDSG and whether a written agreement is actually required is judged differently. Some legal scholars are of the opinion that commissioned data processing is always present if memory space and computer power are claimed by a third party. Accordingly, web hosting always involves commissioned data processing. The reasoning behind this is that the physical control of the data creates considerable possibilities for influencing the data processing. According to this view, commissioned data processing is always given when the data processing systems can be influenced. This is all the more true if the web host takes over tasks in the area of monitoring and maintenance. Other legal scholars assume that commissioned data processing does not yet exist in these cases. If customers require storage space at a web host, they merely rent external data processing systems. The user decides which programs are installed and which personal data are stored. The second view accepts an order data processing only if the web hoster makes backups and keeps them. The data protection supervisory authorities in Germany accept commissioned data processing when an online shop is hosted. After all, personal data is stored with every online shop.
European regulations on commissioned data processing
As already explained, a written agreement for web hosting is always necessary if there is commissioned data processing on the part of the web host. The Data Protection Directive (Directive 95/46/EC) covers a group referred to as "processors". The independent advisory body of the European Union, "Article 29 Working Party", commented on the role of web hosts: "Web hosts are processors of personal data published on the Internet by their customers". For web hosts, it is of enormous importance whether their services are considered as commissioned data processing. The far-reaching consequences of a breach could include criminal and civil penalties. Web hosts would have to grant their customers access to their data centers in the event of commissioned data processing so that they can form a picture of the organizational and technical measures. It is therefore hardly surprising that most web hosters do not consider themselves to be commissioned data processors within the meaning of § 11 BDSG. Violations of the BDSG can be punished by the data protection supervisory authority according to § 43 I No. 2b i.V.m. § 43 III BDSG with a fine of up to 50,000 euros. The question of whether web hosting constitutes commissioned data processing cannot currently be clarified 100 percent. Since various opinions exist in the literature, but case law has not yet made any rulings in this regard, the conclusion of web hosting services in the potential area of commissioned data processing is currently a legal grey area. Since shop operators who have their online shop hosted by webhosters host If the data subjects who are likely to be affected by the processing of personal data under contract are not in a position to be aware of the legal developments, they should monitor them on a permanent basis. Web hosters who want to be on the safe side should obtain model contracts for commissioned data processing so that they can show something in case of doubt. Customers should contact their web host in case of uncertainty and seek advice in individual cases.