Companies respond to questions of their customers and clients concerning privacy and data protection in a pretty different manner. Any negative response is possible: from silence to incomprehension. The other day I stumpled upon wonderful examples and yet inconceivable responses of service providers you shouldn’t miss to read. (The original story is in German.)
Well, what happend: I looked for an approriate accounting tool for my business as self-employed consultant. Usually, respective services are offered as software as a service (SaaS). I tested the features of some services operated by German companies. They were recommended (at least their functionalities for SMBs) on several websites. Finally I wrote each of them an email and asked them directly:
„Do you also offer a data processing agreement (DPA) under Section 11 Federal Data Protection Act (German: § 11 BDSG)?“
Actually it’s supposed to be a matter of course to provide privacy compliant contracts. But compliance seems to be a question of money, though, at least for this provider: (All following quotes are translation by me. Here you can find the original quotes.)
Many thanks für your request. We would like to provide a data processing agreement for an additional fee of 50 EUR plus VAT. Could you please tell me if you agree? In this case I will forward your request immediately to the responsible department.
I must pay an additionally fee to get a legal and privacy compliant agreement? My answer including a fairly broad hint:
Many thanks for your response.
I am unwilling to bear an extra fee to get an agreement with you that is legal.
I will keep looking fo another provider.
And this is his reply with the less than convincing but alarming explanation of the additional fee:
Many thanks for your reply.
Generally, we offer a data processing agreement, but that is not a natural part of our service, that is included in (…)* prices (compare prices and ToC). As it causes additional administrative efforts(drafting the contract, sensing via land post, archiving, renewal etc.) we may charge a one-time fee to covers respective costs. The costs justify the efforts.
Let me repeat: „not a natural part of our service„.
What shall I say?
I don’t name the company in this article. I don’t want them to mandate a lawyer who sues me to delete this post. But, if you read this article you should be aware that other people would have published the company’s name. It’s pretty obvious that a company knows that they don’t comply with applicable law, compliance doesn’t play a role at all or at least the support is trained pretty bad. That is the best foundation for cease-and-desist orders and your company’s reputation is damaged quicker than you can type DPA.
You can reduce orivacy risks and avoid these obvious pitfalls by implementing an internal organisation that includes privacy and data protection checks and measures.
* Names are anonymized by me.
This reaction and procedure seems not to be an exemption. On the contrary. It’s getting better! And now they try to argue in a legal way:
Another provider is willing to provide a DPA. His fee is an annual one, though:
„Dear Dr. Moser,
Many thanks for your mail. Currently our law firm is working on a standard DPA. Unfortunately, they need a few more weeks.
At this point I would like to inform you that we have to charge an annual additional fee for the respective efforts. That’s why it is sensible if you assess if you really need a DPA (you can obtain your clients consent in your ToS for the transfer of data, for instance; many of our clients write invoices to legal entities and the BDSG does not apply in these cases).
If you have further questions please I am at your disposal.
And here is another effort to explain the rejection with legal arguments:
Thank you very much for your Mail.
Unfortunately, we can’t satisfy your wish for a data processing agreement for (…) (in contrast to several other products we offer). We would have loved to fulfill your demand but can’t due to general considerations.
Generally, regarding this product we don’t work on the base of data processing agreements. The reason is that this product is connected with several other products that need exlicit consent in our point of view. We obtain that from you in the course of your registration. Beyond that any data processing happens on the base of § 28 (1) No. 1 BDSG, so that a data processing agreement under § 11 BDSG is dispensable. Beyond that we follow our own interest implementing small tools to measure product perfomance, quality and usability, which in our opinion contradicts a data processing agreement.
Thank you very much.
Your Team from (…)
Or you are simply frank, like this provider
No, we don’t do that. (…) is focussed on small companies and we would like to offer the software at a more favourable price. That’s the reason why we have to reduce the effort as much as possible.
Many greetings from (…)