12 June 2018

EU General Data Protection Regulation: On the Safe Side with ZEP

On 25 May 2018, the time had come. On this date, the EU General Data Protection Regulation (EU GDPR) came into force. The aim of the regulation is to harmonise and strengthen the protection of personal data throughout the EU. Companies that store and process such data must take even more extensive measures to protect this data in the wake of the new regulation. If this storage and processing is carried out as part of commissioned data processing by a third party, for example a cloud service provider, new regulations must also be observed since May 2018, which we would like to briefly explain to you below.

Website, online shop, cloud solution: In these cases, commissioned data processing applies

Thus, the commissioned data processing previously regulated in Section 11 of the Federal Data Protection Act has been newly regulated by the EU GDPR. Commissioned data processing is when a third party processes personal data for a company within the framework of a contractual agreement, e.g. by storing it on its IT systems. Examples of use are websites on which visitors can register in online forms or online shops through which customers can make purchases. As a rule, these websites or e-shops are not operated by the provider itself, but by a hoster or internet service provider. As a result, the personal data of website visitors or online shop buyers also ends up with this service provider.

Another area of application in practice is the use of software applications that are operated in the cloud computing model. Example ZEP: If you use our time recording solution in the cloud computing model, the data of the customers and employees processed with the ZEP time recording and its additional modules (e.g. invoicing) are stored at the cloud service provider, i.e. us. According to previous case law, we have thus taken over the commissioned data processing for our customers in accordance with the BDSG.

From "order data" to "order" processing

The fact that the term "commissioned data processing" was renamed "commissioned processing" when the EU GDPR came into force is certainly the change that is of least importance. More important is the fact that there must now be a contract for commissioned processing in accordance with Art. 28 DSGVO, which replaces the previous contract for commissioned data processing in accordance with Section 11 BDSG.

Similar to its predecessor, this contract regulates the rights and obligations of both parties in commissioned processing pursuant to Section 28 of the GDPR, such as

  • Subject matter and duration of processing
  • Nature and purpose of the processing
  • Type of personal data, group of data subjects
  • Scope of the authority to issue directives
  • Duties and rights of the responsible person
  • Obligations of the processor

EU-DSGVO: On the safe side with ZEP

Of course, we have been dealing with the requirements of the EU-DSGVO for quite some time and have implemented the corresponding measures in the area of data protection in order to fulfil these requirements within the framework of commissioned processing with ZEP. A current version of the contract for commissioned processing in accordance with Art. 28 EU-DSGVO is also available and forms the basis for all new customer contracts. All existing customers have received the "Supplementary Data Protection Agreement" in due time for countersigning.

If you have any further questions about the Data protection at ZEP If you have any questions in general or about the EU GDPR and its implementation in the use of ZEP, please do not hesitate to contact us. gladly at your disposal.