Process outsourcing continues to boom
German companies are once again concentrating on their core business – and are increasingly outsourcing organizational tasks. Today, business process outsourcing (BPO) dominates. Here, it is no longer individual departments, but certain processes of a company that are placed in the hands of a service provider. Typical examples are the outsourcing of financial accounting or the handover of personnel administration, including payroll accounting. This is always associated with commissioned data processing. This term refers to the collection, processing and use of personal data by a service provider. Especially from the point of view of data protection, commissioned data processing is a sensitive process in BPO. The commissioning companies remain responsible for the personal data of their employees (and/or their customers). In the contracts with their service provider, they must therefore ensure that data protection is guaranteed.
The Federal Data Protection Act regulates the obligations for commissioned data processing
BPO service providers relieve the burden on companies and thus contribute to increasing efficiency. With their expertise and resources, they optimize processes and minimize errors. The prerequisite for this is clear contractual regulations between the client and the service provider. In the case of commissioned data processing, the Federal Data Protection Act (BDSG), among other things, regulates the content of the agreements in its paragraph 11 “Collection, processing or use of personal data on behalf of the company”. These must be recorded in writing. This includes not only the type and duration of the job, but also
- the precise definition of the scope, type and purpose of data collection, processing and use
- the circle of those affected
- the technical and organisational measures to be observed
- the contracting authority’s rights of control and its authority to issue instructions
Before the start of the commissioned data processing, the Client must satisfy itself that it has selected a suitable service provider (designated as a contract data processor within the meaning of the BDSG). He must also monitor compliance with data protection during the provision of services. If contractors can demonstrate an audit, for example certification according to ISO 9001 or ISO 27001, these may be recognised.
Required technical and organizational measures of the service provider
In the event of a review or certification, contractors (contract data processors) must explain exactly what measures they have taken in terms of data protection. They must ensure that:
- Unauthorized persons are not allowed to enter certain rooms
- Computers are protected from unauthorized access from the outside (hackers) or from the inside (unauthorized persons)
- Access to data is controlled and documented
- Information about the input and sharing of data is recorded
- Data records cannot be deleted, changed or copied without authorization after storage
- Data carriers are protected from damage and loss
- data can be returned or demonstrably deleted after the end of the job
- the instructions of the client are complied with
- Data collected for different purposes is separated.
In 2018, the European Union’s General Data Protection Regulation will apply
Business Process Outsourcing does not stop at national borders. Service providers and contracting companies still have time until May 2018 to adapt to the changes to the General Data Protection Regulation (GDPR). With this law, the European Union is standardising data protection in companies, authorities and organisations. Since there is no grandfathering for current contracts, all applicable contractual relationships must also be adjusted by this deadline! Companies and contractors are facing some changes. The regulation introduces a new term for the client with the “data controller”. The latter issues the order and its instructions to the processor (the former data processor). He will remain the first point of contact for all those affected in the future. In a written “Joint Controll”, two or more data controllers must determine the purpose and means of the personal processing of data. If moral or financial damage occurs, affected persons are entitled to compensation from them. However, if the processor violates the instructions of his client, the responsibility is transferred to him – and thus also the obligation to pay damages. If, for example, the data of employees in payroll accounting or financial accounting is not protected from misuse and is used by unauthorized persons, those affected can sue.
New obligations for processors
In terms of content, the European Data Protection Regulation is based on the regulations of the Federal Data Protection Act. However, there are new obligations for service providers who process data on behalf of the company. In the future, they will have to keep a precise record of the processing activities for the controller. The legally compliant design of the contracts and the execution of the work in accordance with data protection law are becoming particularly important, because the fines for violations have been significantly increased. Fines of up to 10 million euros or up to 2 percent of the annual turnover achieved worldwide are threatened.
Conclusion for Business Process Outsourcing
If your company plans to outsource business processes to external service providers as part of a BPO, the contractual regulations must be designed in accordance with the new GDPR. The Client remains responsible for the handling of personal data and must audit and control its service provider. However, if he violates your instructions, he is liable to pay damages to the persons concerned. The new European regulation on data protection also contains extensive regulations, but a professional service provider should master them. Model contracts and checklists help with the implementation of the regulation.
As a long-standing specialist in business process outsourcing, ICS is already equipped for the new GDPR.
What risks and opportunities do you see in the European Union’s new General Data Protection Regulation? We look forward to your comments.
Image source: Fotolia.com, Photographer: Weissblick
