German DPA Fines Data Controller For Inadequate Data Processing Agreement
The Bavarian Data Protection Authority (DPA) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor. The DPA stated that the data processing agreement did not contain sufficient information regarding the technical and organizational measures to protect the personal data. The press release said the agreement was not specific enough and merely repeated provisions mandated by law. According to the DPA, the law provides some flexibility for companies to determine which contractual obligations are appropriate for a particular engagement. The DPA stated that this choice may depend on the data security plan of the data processor and related data processing systems used.