Data Protection lawyers with 50+ years of experience

Free initial consultation
/insights

Updated Friday, August 9, 2024

Updated Friday, August 9, 2024

Is Remote Maintenance Data Processing on Behalf?

Remote maintenance of IT systems allows IT service providers to access systems remotely and perform maintenance work without needing to be physically on-site. Regularly, the IT service company gains—at least potentially—access to the client's personal data. This article provides an overview of the data protection classification of remote maintenance.

Steffen Groß

Partner (Attorney-at-law)

No Data Processing for Pure Infrastructure Maintenance
Possibility of Access is Sufficient for Data Processing on Behalf
Conclusion and Recommendations

Get assistance from our lawyers

Data Protection compliance can be complicated. Let our experienced team simplify it for you.

Free initial consultation

Typical applications of remote maintenance include installing software updates and patches, diagnosing and resolving errors, continuously monitoring systems, and performing backups and data restoration. Network maintenance, hardware monitoring, security checks, and remote desktop support are also included.

According to Art. 28 GDPR, a data processing agreement is required if a processor processes personal data on behalf of a controller. But when exactly does such a data processing relationship exist in the case of remote maintenance?


No Data Processing for Pure Infrastructure Maintenance

A data processing relationship clearly does not exist if no personal data is processed. If access by the service provider to the client's personal data can be ruled out, then data processing on behalf does not apply. This is typically the case with pure infrastructure maintenance, such as work on the power supply, cooling, or heating.


Possibility of Access is Sufficient for Data Processing on Behalf

In many cases, however, there is at least the possibility of accessing personal data as part of remote maintenance. Even if only audit logs are accessed, which document which persons were active in the IT systems and when, this involves the potential processing of personal data by the maintenance company.

The data protection authorities adopt a broad interpretation of data processing on behalf, according to which the mere possibility of accessing personal data is sufficient for this classification. The Short Paper No. 13 of the Data Protection Conference (DSK) explains this:

"Maintenance and remote access: If the subject of the contract between the controller and the processor is IT maintenance or remote maintenance (e.g., error analysis, support work in the client's systems) and if, in this context, the processor has the need or possibility to access personal data, then, in view of the broad definition of processing in Art. 4 No. 2 GDPR (e.g., reading, querying, using), this is also a form or partial activity of data processing on behalf, and the requirements of Art. 28 GDPR—such as the conclusion of a data processing agreement—must be implemented."

If remote maintenance merely involves the possibility of accessing audit logs, this constitutes the processing of personal data within the meaning of Art. 4 No. 2 GDPR. In this case, a data processing agreement in accordance with Art. 28 GDPR is required.


Conclusion and Recommendations

According to the data protection authority, remote maintenance constitutes data processing on behalf within the meaning of Art. 28 GDPR as soon as there is the possibility of access to personal data. In many cases, access to audit logs is sufficient to establish a data processing relationship. In such cases, concluding a data processing agreement between the controller (customer/user) and the processor (service provider performing the remote maintenance) is essential. The only exception is pure infrastructure maintenance, where access to personal data is excluded. To create legal clarity, contracts should explicitly state when processing of personal data is excluded, particularly in purely technical systems without user data storage.

In practice, however, it may make sense to treat remote maintenance as data processing on behalf in order to avoid time-consuming case-by-case checks and additional administrative work. If there is a possible access to personal data, it is advisable to assume data processing on behalf by default and to integrate this process into the contractual framework between the parties.

Legal advice

Simpliant Legal - Wittig, Bressner, Groß Rechtsanwälte Partnerschaftsgesellschaft mbB

Consulting

Simpliant GmbH

Technology

Simpliant Technologies GmbH

Data protection

We will support you in implementing all data protection requirements with the GDPR.

Information security

We support you in setting up a holistic ISMS such as ISO 27001.

Artificial intelligence

We advise you on the integration of AI and develop legally compliant usage concepts.


© 2019 - 2024 Simpliant