The HWR is responsible for the processing operations that take place under its auspices. The personal data generated does not have to be processed by the HWR itself. They can also be processed by a processor (= service provider). This occurs, for example, when
- surveys are conducted by a company,
- a conference is organised by a commercial provider (participant registration, billing, …)
- the HWR website is maintained and updated or
- data processing takes place with the help of an external cloud service.
In such cases, the university does not require a separate legal basis for the transfer of personal data to the processor, but only a contract for commissioned processing. The external service provider is then a processor. It processes personal data on behalf of the HWR. However, the processing by the processor is generally attributed to the university. This applies in particular in the event of Data Protection Incidents.
It is not always a case of commissioned processing. If it is difficult to make a distinction in individual cases, one can refer to the position papers of the Berlin and Bavarian data protection commissioners.
A processor is
- bound by the instructions of the HWR
- does not pursue its own purposes
- does not act independently vis-à-vis data subjects
- is a legal entity independent of the HWR
- there is a legal relationship between the data controller and the data subject
- There is a legal relationship between the controller and the service provider
- service contract and order processing contract.
The inclusion of a processor in HWR processes requires a data protection review and approval by the Data Protection Officer, as only “only processors that provide sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be in compliance with the requirements of this Regulation and will ensure the protection of the rights of the data subject” §48 BlnDSG.
As the selection process and data protection review are complex, the review may take between one and 6 months. In these cases, we ask for a little patience and timely enquiry to the Data Protection Officer.
Special case of remote maintenance and support
Commissioned processing also exists if there is already the possibility of accessing personal data, especially in the case of administration or remote maintenance of IT systems by companies via remote desktop (e.g. Teamviewer / Anydesk). If maintenance staff access HWR systems, there are increased risks for stored information and personal data.
Paper Data Protection Conference “Order Processing