APD/GBA - 22/2020

From GDPRhub
Revision as of 16:08, 12 May 2020 by Robertr (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=DOS-2018-02716 |ECLI...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APD/GBA - DOS-2018-02716
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 24(1) GDPR
Article 28(3) GDPR
Article 32 GDPR
Article 33 GDPR
Article 34 GDPR
Type: Other
Outcome: n/a
Decided: 08.05.2020
Published: 08.05.2020
Fine: None
Parties: n/a
National Case Number/Name: DOS-2018-02716
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Dutch
Dutch
Original Source: [ Belgian DPA (in NL)]
Belgian DPA (in NL)
Initial Contributor: n/a

Aftert a data breach the DPA had to assess whether the controller violated articles 5, 24, 28, 33 and 34 GDPR. None of these provisions were considered as breached by the controller.

English Summary

Facts

The controller notified a data breach to the DPA after being notified by the CERT. An investigation was open by the DPA on possible violation of articles 5, 24, 28, 33 and 34 GDPR.

Dispute

Holding

The litigation chamber holds that the defendant demonstrates that, in accordance with Article 24.1 GDPR, it took the necessary appropriate technical and organisational measures and also demonstrated that it had taken such measures at the request of the data protection authority.

More specifically, the defendant shows that he:

- included in its contracts with the processor the necessary provisions to regulate the processing of personal data by the processor, and more specifically to prohibit the processing of personal data for the purposes of development and testing of software by the latter

- developed and documented the necessary internal risk assessment methods, both with regard to data leaks and with regard to the assessment of risks inherent to all processing activities and submitted this documentation and an example of application of this methodology to the Litigation Chamber;

- evaluate the effectiveness of the procedures and measures he has put in place by means of annual external audits;

- as soon as it was informed of the data leak by the CERT, acted transparently both to the Data Protection Authority and to the data subjects. The defendant submitted a notification form and an additional notification to the Data Protection Authority on 4 and 6 June 2018 respectively, in accordance with Article 33 of the GDPR. The defendant also notified the data subjects of the personal data breach in accordance with Article 34 of the AVG and published a press release on 15 June 2018; and

- formally notified his processor of the prohibited processing on 15 June 2018 and provided evidence thereof.

For these reasons, the Chamber of Disputes considers that there is no infringement of the articles. 5.1(f), 5.2, 24.1, 32, 33, 34 and 35 HDPR can be identified.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Litigation chamber
 
Decision on the substance 22/2020 of 8 May 2020 
 
 
 
File number : DOS-2018-02716 
 
Subject: Infringement in connection with personal data and obligation to enter into a processing agreement (on time) 
 
 
The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke 
Hijmans, chairman, and Messrs Frank De Smet and Dirk Van Der Kelen, members; 
 
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG; 
 
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority, hereinafter referred to as 
WOG; 
 
Having regard to the Internal Rules of Procedure approved by the Court of Auditors of 
Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; 
 
Having regard to the documents in the file; 
 
 
 	 
. 
has taken the following decision regarding: 
 
the Y, hereinafter referred to as "the defendant". 
 
 
1. Facts and procedure 
 
1.	 On 4 June 2018, on the basis of Article 114/1 of the Act of 13 June 2005 on electronic communications and in accordance with European Commission Regulation 611/2013, the Data Protection Officer of the defendant notified the Data protection authority of a data breach 
 
2.	On 6 June 2018, the defendant shall submit an additional notification to the data protection authority. 
 
3.	In his notification, the defendant states that he was informed by telephone of the relevant data leak by the Federal Computer Emergency Response Team (hereinafter 'CERT') on 28 May 2018 and that the CERT's notification was confirmed in writing on 29 May 2018. 
 
The data leak took place within the framework of the Master IT Service Agreement concluded on 17 June 2014 between the defendant and the company incorporated under Indian law Z (hereinafter 'the processor'). 
 
By means of this agreement, the latter was appointed to convert the defendant's existing e-shop, operating on the basis of the content management system Drupal 6, into a new e-shop operating on Magento. Furthermore, the processor was also asked to analyse and solve existing production problems concerning the website. 
 
To test the new e-shop and fix these problems, the processor placed a copy of the production database with the history of orders on an Amazon Web Server (AWS) Cloud. Processor activated a web server on port 80 (HTTP) on this AWS and allowed free access to it by applying incorrect security settings. In addition, processor activated the "Directory Listing" service on this server, enabling browsing of the entire directory structure on the web server. 
 
As a result, the personal data of the defendant's customers were accessible from the internet from 22 March 2018 to 28 May 2018. Forensic analysis of the log files showed that the data was consulted and/or downloaded by third parties. 
 
According to the information contained in the notification form submitted by the defendant to the Data Protection Authority, it concerned in particular identification data (name, address, telephone number), electronic identification data (IP addresses), national registry numbers and IBAN numbers of the persons concerned. In this report form, the defendant also indicates that the data leak relates to the personal data of 32,153 persons. 
 
4.	By e-mail dated 6 June 2018, the Data Protection Authority, after consultation with the Belgian Institute for Postal Services and Telecommunications (hereinafter "BIPT"), asks the defendant a number of additional questions relating to the data leakage and more specifically concerning the nature of this data leakage, the risk assessment method used by the defendant, the legal basis of the processing, the notification of the data subjects and the possible involvement of other European Member States and supervisory authorities. 
 
5.	By e-mail dated 11 June 2018, the data protection officer of the defendant answers some of the above questions. 
 
The defendant submits a draft notification to those concerned as well as a draft press release. Furthermore, the defendant specifies that the processor did not have permission to copy the data to a non-production environment. The defendant also states that no other European data protection authorities were informed. 
 
6.	By e-mail dated 12 June 2018, the Data Protection Authority sent some additional questions to the respondent. 
 
In particular, the defendant is requested to provide a copy of the processor's contract as well as the results of the security audit carried out on the processor. Furthermore, the Data Protection Authority asks whether a data protection impact assessment will be carried out with regard to the risks associated with the management of the defendant's e-shops and whether new concrete agreements have been made with the processor. 
 
7.	By e-mail dated 14 June 2018, the data protection officer of the defendant answers these questions. 
 
8.	On 11 July 2018, the Management Committee of the Data Protection Authority decided on the basis of Article 63, 1° WOG to refer the file to the Inspectorate since it found serious indications of the existence of a breach of, on the one hand, the accountability regarding the assessment of the risk when notifying a personal data breach and, on the other hand, the obligation to enter into a processing agreement (in a timely manner). 
 
9.	By e-mail dated 10 August 2018, the data protection officer of the defendant transmits the replies of the defendant to the questions raised by the data protection authority on 10 July 2018. 
 
10.	By letter dated 5 February 2019, the Data Protection Authority put a number of additional questions to the respondent. 
 
11.	On 22 February 2019, the defendant's Data Protection Officer shall transmit the defendant's answers to the questions raised by the Data Protection Authority on 5 February 2019. 
 
12.	On 12 August 2019, in accordance with Article 91, §2 of the WOG, the Inspection Service submits its inspection report to the chairman of the Disputes Chamber. 
 
13.	On 12 September 2019, the Disputes Chamber will decide on the basis of articles 95, §1, 1°, and 98 WOG that the complaint is ready to be dealt with on the merits. 
 
14.	By registered letter dated 12 September 2019, the defendant will be informed that the complaint is ready to be dealt with on the merits and will also be informed of the time limit to submit his defences pursuant to Article 99 of the WOG. 
 
15.	On 14 October 2019, the defendant filed its conclusions and requested to be heard pursuant to Article 98, 2° WOG. 
 
16.	On 8 April 2020, the defendant shall be heard by the Chamber of Disputes in accordance with Article 53 of the Rules of Internal Procedure. 
 
17.	On 23 April 2020, in accordance with Article 54 of the Rules of Procedure, the minutes of the hearing shall be sent to the defendant. 
 
18.	On 28 April 2020, the defendant submitted its observations, which, in accordance with Article 54(1)(b), (3) and (4), (4) and (4), (5) and (5), (5) and (5), (5) and (5), (5) and (6). 
2 of the Rules of Procedure shall be annexed to the minutes of the hearing. 
 
2. Legal basis 
 
Article 5.1 f) AVG 
 
1. Personal data must be: (…) 
(f) processed by the application of appropriate technical or organisational measures in such a way as to ensure their security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage ('integrity and confidentiality') 
 
Article 5.2 AVG 
 
"The controller shall be responsible for ensuring compliance with paragraph 1 and shall be able to demonstrate it ('accountability'). 
 
 
Article 24.1 AVG 
 
"1. Having regard to the nature, extent, context and purpose of the processing operation and the varying degrees of likelihood and seriousness of the risks to the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and demonstrate that the processing is carried out in accordance with this Regulation. Those measures shall be reviewed and, where necessary, updated. 
 
 
 
 
Article 28.3 AVG 
 
"3. The processing by a processor shall be governed by a contract or other legal act under Union or Member State law binding the processor vis-à-vis the controller, defining the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the rights and obligations of the controller. That agreement or other legal act shall provide in particular that the processor: 
 
a)	processing of personal data solely on the basis of written instructions given by the controller, including in relation to transfers of personal data to a third country or an international organisation, unless a provision of Union law or Member State law applicable to the controller obliges him to carry out processing, in which case the controller shall notify the controller of that law prior to processing, unless that law prohibits such notification on grounds of substantial public interest; 
b)	ensures that the persons authorised to process the personal data have undertaken to respect confidentiality or are bound by an appropriate legal obligation of confidentiality; 
c)	takes all necessary measures in accordance with Article 32; 
d)	satisfies the conditions for engaging another processor referred to in paragraphs 2 and 4; 
e)	taking into account the nature of the processing, assist the controller, as far as possible, by means of appropriate technical and organisational measures, in fulfilling his duty to reply to requests for the exercise of the data subject's rights set out in Chapter III; 
f)	taking into account the nature of the processing and the information available to him, assist the controller in ensuring compliance with the obligations laid down in Articles 32 to 36; 
g)	at the end of the processing services, according to the choice of the controller, delete all personal data or return them to him, and delete existing copies, unless storage of the personal data is required by Union or Member State law; 
h)	make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow and contribute to audits, including inspections, by the controller or a controller authorised by the controller. 4.5.2016 L 119/49 Official Journal of the European Union EN As regards point (h) of the first paragraph, the processor shall immediately inform the controller if it considers that an instruction infringes this Regulation or other provisions of Union or Member State law on data protection'. 
 
Article 32 AVG 
 
"Having regard to the state of the art and the cost of implementation, as well as the nature, scale, context and purposes of the processing, and the varying degrees of probability and seriousness of the risks to the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented, including, where appropriate: 
a)	the pseudonymisation and encryption of personal data; 
b)	the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of processing systems and services; 
c)	the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; 
d)	a procedure for periodically testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing. 2. The assessment of the appropriate level of security shall in particular take account of the risks presented by the processing, in particular those resulting from the destruction, loss, alteration or unauthorised disclosure of, or access to, data transmitted, stored or otherwise processed, whether accidental or unlawful. 
3.	Alignment with an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element to demonstrate compliance with the requirements referred to in paragraph 1 of this Article. 
4.	The controller and the processor shall take measures to ensure that any natural person acting under the authority of the controller or of the processor and having access to personal data, processes them only on instructions from the controller, unless he is required to do so under Union or Member State law'. 
 
Article 33 AVG 
 
"Where a personal data breach has occurred, the controller shall notify it to the competent supervisory authority pursuant to Article 55 without unreasonable delay and, if possible, not later than 72 hours after it becomes aware of it, unless the personal data breach is not likely to jeopardise the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay. 
2.	The processor shall inform the controller without unreasonable delay as soon as it becomes aware of a personal data breach. 
3.	The notification referred to in paragraph 1 shall specify or notify at least the following: 
a)	the nature of the personal data breach, including, where possible, the categories of data subjects and personal data registers concerned and, approximately, the number of data subjects and personal data registers concerned; 
b)	the name and contact details of the Data Protection Officer or any other contact point from which further information may be obtained; 
c)	the likely impact of the personal data breach; 
d)	the measures proposed or taken by the controller to deal with the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 
4.	If and to the extent that it is not possible to provide all information simultaneously, the information may be provided in stages without unreasonable delay. 
5.	The controller shall document all personal data breaches, including the facts surrounding the personal data breach, its consequences and the remedial action taken. That documentation shall enable the supervisory authority to monitor compliance with this Article. 
 
Article 34 AVG 
 
"Where the personal data breach is likely to present a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. 
2.	The communication to the data subject referred to in paragraph 1 of this Article shall contain a description, in clear and simple language, of the nature of the personal data breach and at least the data and measures referred to in Article 33(3)(b), (c) and (d). 
3.	The communication to the person concerned referred to in paragraph 1 shall not be required where one of the following conditions is fulfilled: 
a)	the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the personal data concerned by the personal data breach, in particular those making the personal data incomprehensible to unauthorised persons, such as encryption; 
b)	the controller has taken ex post measures to ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is unlikely to reoccur; 
c)	the communication would require a disproportionate effort. In that case, a public communication or a similar measure providing equally effective information to data subjects would take its place. 
4. Where the controller has not yet notified the personal data breach to the data subject, the supervisory authority may, after considering the likelihood of the personal data breach posing a high risk, oblige the controller to do so or decide that one of the conditions referred to in paragraph 3 is fulfilled'. 
 
3. Reason 
 
3.1. 	As regards the findings concerning the accountability and responsibility of the defendant (Articles 5, 24, 32, 33 and 34 AVG) 
 
Inspection report findings 
 
19. In its inspection report, the Inspectorate notes that the defendant 'does not justify how a concrete risk-based approach is arrived at imposed by (inter alia) Articles 5, 24, 32, 33 and 34 of the AVG. The references by [defendant] to 'The ENISA method for a data leak' and to 'The CNIL method for a DPIA' are of a very general nature and vague, so that for this file [defendant] has not acted in accordance with Articles 5(2) and 24(1) of the AVG'. 
 
Defendant's defences 
 
20.	With regard to this finding of the Inspectorate, the defendant argues that he inferred from the reading of the provisions mentioned above that this indictment relates firstly to the obligation to carry out a data protection impact assessment within the meaning of Article 35 AVG and argues that, in his view, he was not obliged to carry out such an assessment or any other risk assessment for the processing in question. 
 
21.	In this respect, he first states that the act giving rise to the data leakage took place before the date of application of the AVG and consequently Article 35 AVG, which introduces the concept of data protection impact assessment. 
 
22.	Second, the defendant points out that the obligation to carry out such an impact assessment only applies where the processing is likely to present a high risk to the rights and freedoms of natural persons. However, he argues that, in the present case, the processing activity carried out by the processor that was at the origin of the data leakage was expressly prohibited by the defendant. The defendant clarifies that the processor used a non-production environment for testing and developing software in which it was only allowed to use anonymised data. Consequently, the defendant concluded that it could not be expected to carry out a risk assessment concerning an activity of its processor of which it was unaware and for which it had contractually prohibited the use of personal data. 
 
In this regard, the defendant refers to Annex C035A2 entitled "Data Privacy Requirements" to the Master IT Service Agreement concluded between the parties in 2014, which contained a clause stating that "confidential data may not be [copied] from a production environment to an 
non-production environment, unless the confidential data is masked'. He also refers to Clause 7 of the subsequent processing agreement between the Parties, which states inter alia: 'The Provider shall be obliged, when processing Personal Data (...): (r) to make Personal Data in non-production environments anonymous using industry-standard technology that still permits development, testing and acceptance by Providers or [Respondent]'. 
 
23.	The defendant also emphasises that, following the data leak on 15 June 2018, it formally served formal notice on the processor and encloses evidence thereof. 
 
24.	Furthermore, with regard to this part of the charge, the defendant claims that it did take the appropriate and organisational measures to assess risks and ensure an adequate level of security to prevent such risks. He argues that the aforementioned Annex C035A2 to the Agreement concluded on 17 June 2014 with the processor contained an overview of the risks relating to the processing of personal data, the main mechanisms to protect personal data and the obligations of the processor in this respect. 
 
25.	The defendant points out that, in accordance with Article 6.2 of the abovementioned Annex, annual audits of the processor were also provided for and attaches as supporting documents the last two audit reports drawn up by Ernst & Young LLP. 
 
26.	Finally, the defendant argues that it does have a risk assessment method for data leaks, and that this was the case both at the time of and after the 2018 data leak. He refers to his 'Data Breach Severity Assessment Method', based on the ENISA method, supplemented by, inter alia, ISO 31000 and ISO 27005 and adds documentation to his conclusion of reply. The defendant states that, in addition to this data leakage risk assessment method, it also has a general risk assessment method. It refers in this respect to its internal 'Security Risk Management Policy', which is used to assess the risks inherent in all processing activities. The defendant adds documentation in this respect as well as an example of an analysis based on this method, dated 16 September 2017. 
 
27.	The defendant adds that, on the basis of the assessment method mentioned above, the risks associated with the data leak that gave rise to the referral of this case were also assessed. He specifies that (the team of) the data protection officer, the security manager and the chief compliance officer were successively involved in this risk assessment procedure, after which their analysis was approved by the defendant's management committee. 
 
28.	The defendant 	stressed 	at 	the 	hearing 	that 	both 	he 	and 	the 
The data protection authority in this file concluded that the risk of data leakage should be assessed as high, and that the defendant took all necessary measures in this regard  and therefore did not understand the charge of failure to comply with accountability. 
 
Dispute Chamber Analysis 
 
29.	The Disputes Chamber points out that the accountability of Article 5.2 AVG is one of the central pillars of the AVG and implies that the controller is responsible for, on the one hand, taking proactive measures to ensure compliance with the AVG rules and, on the other hand, being able to demonstrate that he has taken such measures. 
 
This is evident from, among other things, Opinion 3/2010 on the Group's "Accountability Principle". 
29, in which it states that two aspects should be emphasised with regard to this principle:    
(i)	"'the need for a controller to take appropriate and effective measures to implement data protection principles; and 
(ii)	the need to be able to demonstrate on request that appropriate and effective measures have been taken. The controller must therefore be able to provide evidence of (i) above'. 
30.	This accountability does not only relate to the provisions of Article 5.1 of the AVG, but concerns the entire AVG. 
 
31.	The aforementioned follows from the merger of Article 5.2 of the AVG and Article 24.1 of the AVG, which states that 'Having regard to the nature, extent, context and purpose of the processing operations, and to the varying degrees of likelihood and seriousness of the risks to the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and demonstrate that the processing is carried out in accordance with this Regulation. Those measures shall be reviewed and, where necessary, updated'. 
 
32.	The Dispute Chamber points out that the accountability applied to data leaks means that a data controller is not only obliged to report these data leaks to the supervisory authority and the data subjects in accordance with Articles 33 and 34 of the AVG, where applicable, but must also be able to demonstrate at all times that he has taken the necessary measures to comply with this obligation. 
 
33.	In its Opinion 3/2010, Group 29 includes a non-exhaustive list of 
"accountability measures" that can be taken by controllers in order to comply with this obligation. In this respect, the Working Party 29 refers inter alia to: establishing internal procedures, drawing up a written and binding data protection policy, appointing a data protection officer, developing internal procedures for effectively managing and reporting security breaches. 
 
34.	With regard to the evaluation of the effectiveness of these measures, the Group refers to internal and/or external audits as best practice. It specifies that the control methods used to assess the effectiveness of the measures taken must be adapted to the specific risks posed by data processing, the volume of data to be processed and the sensitivity of these data. 7 
 
35.	Finally, it should be noted that transparency is an integral part of accountability and that this transparency vis-à-vis supervisory authorities as well as data subjects and the wider public puts the controller in a stronger position as regards his accountability. 
 
36.	The Disputes Chamber holds that, on the basis of the documents submitted and its defence, the defendant demonstrates that, in accordance with Article 24.1 of the Data Protection Act, it took the necessary appropriate technical and organisational measures in this case and, in accordance with Article 5.2 of the Data Protection Act, also demonstrated that it had taken such measures at the request of the data protection authority. 
 
More specifically, the defendant shows that he: 
 
-	include in its contracts with the processor - both in the Master IT Service Agreement concluded in 2014 and in the processing agreement concluded after the entry into force of the AVG - the necessary provisions to regulate the processing of personal data by the processor, and more specifically to prohibit the processing of personal data for the purposes of development and testing of software by the latter (in particular, in Annex C035A2 annexed to the Master IT Service Agreement and in Article 7 of the processing agreement concluded on 6 June 2018); 
 
-	developed and documented the necessary internal risk assessment methods, both with regard to data leaks (the "Data Breach Severity Assessment Method") and with regard to the assessment of risks inherent to all processing activities (Security Risk Management Policy) and submitted this documentation and an example of application of this methodology to the Dispute Settlement Chamber; 
 
-	evaluate the effectiveness of the procedures and measures he has put in place by means of annual external audits; 
 
-	as soon as it was informed of the data leak by the CERT, acted transparently both to the Data Protection Authority and to the data subjects. The defendant submitted a notification form and an additional notification to the Data Protection Authority on 4 and 6 June 2018 respectively, in accordance with Article 33 of the AVG. The defendant also notified the data subjects of the personal data breach in accordance with Article 34 of the AVG and published a press release on 15 June 2018; and 
 
-	formally notified his processor of the prohibited processing on 15 June 2018 and provided evidence thereof. 
 
37. For these reasons, the Chamber of Disputes considers that there is no infringement of the articles. 
5.1(f), 5.2, 24.1, 32, 33, 34 and 35 AVG can be identified. 
 
 
3.2. 	As regards the findings concerning the obligation to conclude a contract with processors (Article 28 AVG) 
 
 
Inspection report findings 
 
38. The inspection report submitted by the Inspectorate to the Chamber of Disputes on 12 August 2019 found that 'at the time of the personal data breach (in the period between 22/03/2018 and 28/05/2018), the defendant had not concluded a contract with the processor for the processing activity in question. The contract was only finalised by [defendant] on 06/06/2018, as evidenced by the date above the signature of the person signing on behalf of [defendant]. Consequently, [defendant] did not act in accordance with Article 28 of the AVG for this file". 
 
Defendant's defences 
 
39.	In its conclusion of reply and at the hearing, the defendant states in response to this indictment that a comprehensive Master IT Service Agreement was concluded with the processor on 17 June 2014 and that this agreement explicitly laid down the obligations regarding the protection of personal data in its Article 14.4. Defendant adds that further Annex 
C035A2 entitled "Data Privacy Requirements", which was an integral part of the Master IT Service Agreement, contained additional obligations for processors. 
 
40.	At the hearing held on 8 April 2020, the defendant pointed out that the contract concluded with the processor on 17 June 2014, and in particular Article 14.4 thereof, complied with the conditions imposed by the 1992 Law, which stated in particular that there had to be a contract between the parties and that provision had to be made for the processor to process personal data only on instructions from the controller and not for purposes other than those specified by the controller. 
 
41.	However, the defendant adds that this clause was already much more extensive as it also contained provisions on data leaks and assistance, and thus already contained a number of elements that later became law with the AVG. 
 
42.	The defendant further argues that following the entry into force of the AVG, negotiations took place with the processor and a new processor's agreement was drafted and signed by the processor on 21 May 2018 and by the defendant itself on 6 June 2018. The defendant argues that the fact that the signature of this contract by the latter was only a formality and that the fact that this only took place on 6 June 2018 is irrelevant since this contract only contains obligations for the processor. 
 
Dispute Chamber Analysis 
 
43.	According to Article 28.3 of the AVG, the processing by a processor must be governed by 'a contract or other legal act under Union or Member State law binding the processor to the controller, setting out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the rights and obligations of the controller'. This Article also lists the mandatory particulars that such 
legal act shall contain . 
 
44.	The Disputes Chamber finds that the processing agreement drawn up by the defendant following the entry into force of the AVG contains the mandatory statements set out in Article 28 AVG, but that on the date on which the AVG entered into force it had not been signed by the defendant. 
 
45.	However, an organisation such as the defendant may be expected to prepare carefully for the introduction of the AVG from the time the AVG enters into force in accordance with Article 99 of the AVG in May 2016. After all, the processing of personal data is a core activity of the defendant, which, moreover, processes such data on a very large scale. 
 
46.	In view of the fact that the AVG became applicable as of 25 May 2018, the processing contract concluded between the defendant and its processor therefore had to be signed by both parties at the latest on that date. 
 
47.	The Chamber of Disputes finds, however, that there was an agreement of wills between the parties concerning this processing agreement and that it was drawn up by the defendant and signed by the processor before the date on which the AVG entered into force. 
 
48.	The Disputes Chamber is therefore of the opinion that no infringement of Article 28 of the AVG should be established in this case. 
 
4. Publication of the decision 
 
49. In view of the importance of transparency with regard to the decision-making of the Disputes Chamber, this decision is published on the website of the Data Protection Authority in accordance with Article 95, §1, 8° WOG. However, it is not necessary for the identification data of the defendant to be published directly for this purpose. 
 
 
FOR THESE REASONS, 
 
the Data Protection Authority's Litigation Chamber, after deliberation, shall decide: 
 
- 	to order the out-of-court prosecution on the basis of Article 100, §1, 2° WOG. 
 
This decision may be appealed against under Article 108 §1 WOG within a period of thirty days from the notification to the Market Court with the Data Protection Authority as respondent. 
 
           
 
(get.) Hielke Hijmans 
President of the Chamber of Disputes