Typical applications of remote maintenance include installing software updates and patches, diagnosing and resolving errors, continuously monitoring systems, and performing backups and data restoration. Network maintenance, hardware monitoring, security checks, and remote desktop support are also included.
According to Art. 28 GDPR, a data processing agreement is required if a processor processes personal data on behalf of a controller. But when exactly does such a data processing relationship exist in the case of remote maintenance?
No Data Processing for Pure Infrastructure Maintenance
A data processing relationship clearly does not exist if no personal data is processed. If access by the service provider to the client's personal data can be ruled out, then data processing on behalf does not apply. This is typically the case with pure infrastructure maintenance, such as work on the power supply, cooling, or heating.
Possibility of Access is Sufficient for Data Processing on Behalf
In many cases, however, there is at least the possibility of accessing personal data as part of remote maintenance. Even if only audit logs are accessed, which document which persons were active in the IT systems and when, this involves the potential processing of personal data by the maintenance company.
The data protection authorities adopt a broad interpretation of data processing on behalf, according to which the mere possibility of accessing personal data is sufficient for this classification. The Short Paper No. 13 of the Data Protection Conference (DSK) explains this:
"Maintenance and remote access: If the subject of the contract between the controller and the processor is IT maintenance or remote maintenance (e.g., error analysis, support work in the client's systems) and if, in this context, the processor has the need or possibility to access personal data, then, in view of the broad definition of processing in Art. 4 No. 2 GDPR (e.g., reading, querying, using), this is also a form or partial activity of data processing on behalf, and the requirements of Art. 28 GDPR—such as the conclusion of a data processing agreement—must be implemented."
If remote maintenance merely involves the possibility of accessing audit logs, this constitutes the processing of personal data within the meaning of Art. 4 No. 2 GDPR. In this case, a data processing agreement in accordance with Art. 28 GDPR is required.
Conclusion and Recommendations
According to the data protection authority, remote maintenance constitutes data processing on behalf within the meaning of Art. 28 GDPR as soon as there is the possibility of access to personal data. In many cases, access to audit logs is sufficient to establish a data processing relationship. In such cases, concluding a data processing agreement between the controller (customer/user) and the processor (service provider performing the remote maintenance) is essential. The only exception is pure infrastructure maintenance, where access to personal data is excluded. To create legal clarity, contracts should explicitly state when processing of personal data is excluded, particularly in purely technical systems without user data storage.
In practice, however, it may make sense to treat remote maintenance as data processing on behalf in order to avoid time-consuming case-by-case checks and additional administrative work. If there is a possible access to personal data, it is advisable to assume data processing on behalf by default and to integrate this process into the contractual framework between the parties.