The first level of this approach should include the provision of important information, such as the identity of the person in charge of the treatment, details of the purposes of the treatment and a description of the rights of the person concerned. This information is not necessary if the person concerned already has this information. For complete information, the reference (qualified) must be made on a website or a flyer (second level). Under the RGPD, outsourced treatment services are most often referred to as “contract-to-order treatments.” For this type of treatment, the conditions set out in question 20 apply. However, this only applies to a processor that does not itself determine the purpose of the processing. If the controller transfers to the processor a whole function that does not require the processor to follow the data processing instructions, the usual data transfer conditions apply, as indicated in questions 11 and 33. The new BDSG regulations provide for stricter rules for the designation of a DSB. In accordance with Article 38 of the BDSG-new, data managers and managers must designate a DSB when at least 10 people are regularly involved in the processing of personal data as a whole or partly through automated means. Such a reporting obligation is not to be made. From a legal point of view, the data protection authority does not have the right to authorize data transfers. However, in practice, it will be very useful to agree with the data protection authority in order to avoid sanctions in the future.
This results in uncertainties for processors (processing managers determine the purposes and means of processing personal data, Article 4, point 7, of the RGPD) and processors (the data processor is the one that processes personal data on behalf of the processor, Article 4, point 8 RGPD). As an EU regulation, the RGPD is considered a higher rule of law. For this reason, national law must be in accordance with the RGPD. If a national law does not comply with the RGPD, the country violates its duty of loyalty to Article 4 of the TUE, which may give rise to infringement proceedings against that country. In addition, courts and supervisory authorities may not apply the law because they consider it to be a violation of European law. At this time, it is not clear that all BDSG-Neu rules are in compliance with the RGPD and that controllers and processors can base their data protection decisions on these rules.