Is Your Company Well Prepared in Terms of (IT-) Law and Data Protection?
The corona crisis has given digitalization in Germany an unprecedented boost. Contact restrictions forced us all to use digital technology in almost every area of life. Examples of this phenomenon are our professional activities from the home office, video telephony with colleagues or friends, and digital leisure activities such as readings, lectures and digital concert visits. This trend will remain sustainable. Medium-sized companies have also recognized this and are investing more heavily in digital solutions. But there are challenges in terms of IT and data protection law. This article describes how you can take advantage of the trend toward digitalization and overcome legal challenges.
The Digitalization Phenomenon – Advantages and Challenges
The advantage of digital solutions is obvious. They change, realign and in most cases optimize analog value-added and business processes. The use of digital solutions can thus lead to an increase in efficiency and cost savings. These effects are achieved, for example, by saving on travel costs and making more efficient use of personnel and resources in operating processes. This also results in synergies for your customers, as those costs no longer need to be passed on to your customers. This inevitably increases the satisfaction of your customers.
Conventional digital solutions include smartphones, laptops and tablets. These are largely established in our living and working culture. Supposedly new digital solutions that have not yet become established in every industry are applications and services, such as company news apps, digital project management tools like Jira and Asana or digital marketing tools (e.g. HubSpot, Marketo, Oktopost).
Especially at the beginning of the corona crisis, many companies had to painfully realize that their business processes were not designed for their employees to work from their home office. This posed very practical questions, such as how to obtain effective signatures from two authorized employees who were not in the same place because of their home office. One solution is provided by tools such as DocuSign or Adobe Sign, which allow contracts or other important business letters to be signed digitally with a qualified electronical signature, regardless of the location of the management. The same applies to video conferencing tools. Many companies have found that individual departments do not always need to be in the same place to plan and discuss projects. Instead, the departments can meet virtually using video conferencing tools. This change from an analog to a digital working world is currently taking place very dynamically thanks to Corona, because since March 2020 at the latest, companies in Germany have understood the necessity of investing in such digital solutions.
Digital solutions therefore offer numerous advantages, but also present companies with major IT and data protection challenges. The legal framework must be justifiable and suitable for the intended use (keywords: correct licensing model, sufficient availability). Most digital solutions also process personal data. Your organization must therefore ensure that data protection requirements are taken into account and implemented in the selection process of a digital solution during the procurement and introduction of digital solutions – otherwise you could face stiff fines.
What Are the Legal Requirements for the Introduction of Digital Solutions?
If you are planning to purchase a large number of new digital solutions, it may be advisable, in order to relieve the burden on your own IT, specialist and purchasing department, to keep your own templates of purchase or project contracts or at least IT terms and conditions of purchase and a data processing agreement available. Also then try to enforce your own contract templates or IT terms and conditions of purchase against the provider.
The following checklist can be used as a guide for the examination of IT contracts. This provides an initial overview of the IT-legal requirements of digital solutions, without claiming to be complete:
Checklist IT Law
- When purchasing digital solutions, the scope of licenses must be appropriate. Make sure that you select or negotiate the appropriate licensing model for your company and purpose.
- If you do not want to buy software, but only want to use it for a limited period of time (e.g. rent, SaaS), you should think about availability. Especially with business-critical applications, you should make sure that the provider guarantees the highest possible availability. Non-compliance with this availability is usually subject to legal consequences in the form of so-called service credits, which are comparable to a contractual penalty, and an extraordinary right of termination.
- Conclude appropriate maintenance and support contracts. By agreeing on so-called service levels, you ensure that a digital solution is restored as quickly as possible in the event of its failure. For example, the provider promises you 24/7 availability of its support hotline and you define response and, in the best case, resolution times within which the provider must respond to your support ticket (response time) and eliminate the problem you have pointed out (resolution time).
- Of particular importance is the question of the distribution/granting of rights. Therefore clarify: Who is the owner of the rights and who is allowed to use the rights and to what extent? If you want to have a digital solution developed individually and thus secure advantages over your competitors, you should have rights granted exclusively. At least for a certain period of time.
- Think of the decrease or achievement of milestones and the legal consequences associated with them. Unfortunately, more extensive software projects are often delayed in practice. In addition to good project management, contracts with clear regulations and legal consequences are therefore recommended. Contractual penalties or lump-sum damages in the event that certain agreed milestones are not achieved can create incentives for the provider to perform on time. Your project management must document project delays cleanly and, if necessary, request the provider to perform again in writing in order to be able to claim contractual penalties or lump-sum damages from the provider.
- Warranty and liability play an important role in every contract. Attention should be paid to this as well.
If the IT-legal examination shows that the regulations put you as a customer at a severe disadvantage, for example, in that the warranty and liability of the provider is largely excluded, or e.g. the regulated scope of the license does not fulfill the intended purpose of use, because an explicit right of use for subsidiaries may be missing and sublicensing and transfer are prohibited, negotiations with the provider are worthwhile. If not all wishes can be implemented, you must agree internally which regulations can be accepted.
From a data protection point of view, the requirements of the GDPR listed below in the Data Protection Checklist must be observed and implemented:
Data Protection Checklist
- Providers of digital solutions will in most cases process personal data on your behalf, in which case you must conclude a data processing agreement with the provider that meets the requirements of Art. 28 GDPR. If, exceptionally, you determine the means and purposes of processing together with the provider, you are jointly responsible and an agreement pursuant to Art. 26 (1) sentence 1 GDPR must be concluded with the provider. According to the ruling of the European Court of Justice in case C 210/16 Facebook Fanpage Operator and Facebook are joint controllers.
- When using digital solutions from providers in third countries (e.g. USA), make sure that data transmission is only carried out subject to appropriate safeguards (e.g. adequacy decision, EU standard contractual clauses, corporate binding rules) in accordance with the GDPR (see also below under Excursus).
- Make sure that the provider of the digital solution has implemented the data protection principal privacy by design by enabling data protection-friendly presettings and providing deletion routines and access concepts. Ensure that the digital solution is configured so that the privacy-friendly presettings are enabled.
- As soon as you process personal data, you must inform the data subject, e.g. your employees or your customers, in accordance with Art. 13 GDPR in detail about, among other things, the purposes of the data processing, the legal basis, data recipients and their rights as data subjects.
- Finally, you also have to keep a record of the processing activity that you optimize through the digital solution, with the information required by Art. 30 GDPR. Here, the use of a data protection management system (e.g. our tool PLANIT // PRIMA) is recommended.
- In individual cases, such as when new technologies (e.g. AI) are used, it may be necessary to conduct a data protection impact assessment (Art. 35 GDPR).
If the examination under data protection law reveals that the data processing agreement contains provision which violate the GDPR, e.g. because the audit rights of the controller are too severely restricted or personal data can continue to be stored after termination of the contracts also due to storage obligations arising from any applicable law, changes to the data processing agreement must be enforced against the provider since the conclusion of a data processing agreement in violation of the GDPR is also subject to a fine. You can implement the information and documentation obligations listed in the data protection checklist internally and are not dependent on the cooperation of the provider.
Excursus: Data Transfers To Non-EEA Countries, Especially the USA
Data transmissions to the USA, where most provider of common digital solutions or at least their parent company is based, have become significantly more difficult since July 16, 2020. On July 16, 2020, the European Court of Justice (ECJ) declared the EU-US Privacy Shield to be invalid in its ruling in Case C-311/18 Data Protection Officer v Maximilian Schrems and Facebook Ireland (“Schrems II”). According to the case law of the ECJ, data transfers to the USA can currently only be based on the so-called EU standard contractual clauses in exceptional cases and “additional measures/guarantees” are required in any case. The reason for this is the government surveillance programs in the USA, such as UPSTREAM and PRISM, among others, which suggest that US providers of digital solutions cannot comply with the EU standard contractual clauses because the laws underlying these programs force them to surrender data to US security authorities. However, as the controller, you must check before transferring data to the U.S. and ensure that the provider can comply with the EU standard contractual clauses as a processor. According to the orientation guide of the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, “additional measures/guarantees” are at least encryption using self-administered keys that neither the US provider nor the US secret service can break, as well as anonymization. It also seems possible to have data hosted in Europe, provided that the US provider offers a choice of regions, and to agree with the provider that no data transfers to the USA will take place. The European Data Protection Committee is currently examining what additional measures a controller can take from a legal, technical and organizational point of view.
When purchasing digital solutions, it should therefore always be checked whether there is a European alternative to the most favored US products. In some areas this is already the case. Otherwise, the uncertainties resulting from the ECJ ruling must be addressed to the provider at an early stage and the controller’s own risks minimized, for example – provided the provider makes this technically possible – by selecting the region Europe while avoiding data flows to the USA.
An investment in digital solutions is worthwhile because of the savings and optimization potentials shown. Due to the Corona pandemic, smooth business processes in your company are hardly possible to maintain without the use of digital solutions. However, IT and data protection requirements must be observed and implemented, providers must be carefully selected, and IT contracts and data processing agreements must be carefully reviewed and, if necessary, negotiated. In addition, information and documentation obligations under data protection law must be fulfilled and, in particular, data protection declaration and a record of processing activity must be created. The development of data protection law with regard to data transfer to the USA remains to be seen and should be closely followed by you or your data protection officer.