Software often processes personal data. The guidelines of the GDPR must be taken into account. In order to ensure the protection of this data as effectively as possible, the GDPR already sets specific requirements for the production of relevant software. However, if these requirements are not taken into account, there are different consequences for manufacturers and users in Germany, which both should consider.
In the production of software, Article 25 of the GDPR is to be considered the relevant provision. Paragraph 1 concerns the requirements for privacy-friendly technology development (privacy by design). Paragraph 2 regulates the same for privacy-friendly default settings of software (privacy by default). The measures to be taken in software programming are always dependent on the individual case. This is because Article 25 of the GDPR has deliberately been kept very abstract in order to remain technology-neutral and have the ability to adapt to technical developments. For each software production, decisions must be made individually as to which appropriate measures can be taken. A solution that protects data as much as possible must be found in a case-by-case assessment based on various factors. Possible factors are
This should be documented in order to meet the accountability to the supervisory authorities (Art. 5 (2) GDPR).
To implement the privacy-by-design requirement, software must be designed to be privacy-friendly. In software development, risk-based, effective and appropriate technical and organizational measures must be taken on a case-by-case basis. The aim is to protect the rights of persons whose data will later be processed with and by the software as far as possible and to exclude or minimize the risk of a data breach. Above all, the principles of German data protection law must be taken into account and their implementation guaranteed. Key principles are:
The term privacy by default refers to certain requirements for the default settings of software. These must be designed in such a way that only data that are also necessary for the respective processing purpose are used. This requirement is intended to take into account the idea of data minimization. In this way, the software is intended to protect the data of its users as far as possible, even without the users having to adjust their settings, and to reduce data processing and storage to the essentials.
The requirements and principles mentioned above must be taken into account very early in the manufacturing process. Accordingly, appropriate measures must be taken as early as the planning stage of the processing operations to ensure lawful data processing later on. In this way, the responsible person is held accountable at the earliest possible point in time and cannot be released from liability. This is because the person responsible remains obliged to take account of the actual data processing. The above-mentioned principles must also be taken into account when producing software updates.
The specification of the GDPR at the earliest possible stage in the process of producing and using software raises questions of responsibility for compliance with the principles. In practice, software is often not used by the people who manufactured it. Therefore, it would be understandable to already engage the software producer or programmer to implement the GDPR and to take responsibility for it. Article 25 of the GDPR, however, only places the obligation on the responsible person, or "controller". This is a fixed legal concept which is defined in Article 4 Cl. 7 of the GDPR. According to this, the only responsible person, who solely or with others determines the purposes and means of data processing, is the controller.
The software producer usually only programs the software for a later user and therefore has no ultimate responsibility in determining the purpose or means of processing. Thus, they are not an addressee of the GDPR and are not responsible for the implementation of privacy by design or default regarding the user or the supervisory authority.
This results in a number of consequences for the software developer. Due to the user responsibility concerning the software, an imbalance arises. While the producer has the knowledge and expertise to implement the requirements of the GDPR, the purchaser often lacks the know-how to check the GDPR compliance of the software. Nevertheless, the purchaser is required to be responsible for defects in the software under the GDPR and, in case of doubt, be liable for damages.
In order to compensate for this imbalance, purchasers could resort to appropriate contractual agreements obliging the producer to take the requirements of Article 25 of the GDPR into account in the production. Then, in the event of violations, the purchaser could assert warranty claims for defects and thus recover the resulting damage from the producer. However, even without an explicit agreement, warranty claims could arise. Because the GDPR must be taken into account for all programs to be used within the European Union, GDPR compliance is a common and expected feature of software. In this respect, it could trigger a warranty claim even without specific contractual agreements. To be on the safe side, however, purchasers should include specific requirements in the contract. If a maintenance contract between the software manufacturer and the purchaser also exists, the manufacturer is likewise obliged to maintain conformity with data protection in the program and to adapt it accordingly in the event of changes in the legal situation or the state of the art.
The lack of responsibility under the GDPR protects the manufacturer from fines or damage compensation obligations under the GDPR in the event of defects in the data protection compliance of their software, but not from defect warranty claims by the actual controller. Your software should therefore always take basic technical settings into account. These include:
and more. Ultimately, manufacturers, buyers and IT managers should ensure that all minimum requirements are met and also documented. Software producers, in particular, should be aware that they do not bear any responsibility under the GDPR. However, they can be liable to their contractual partners and, on top of that, lose their reputation and thus competitiveness.
Your contact persons for questions regarding data protection in the field of software manufacturing are attorney and external data protection officer Olga Stepanova as well as attorney Patricia Jechel. Do not hesitate to contact us! The best way to reach us is by e-mail (email@example.com) or by telephone (+49 69 76 75 77 80).
30.09.2021 - Patricia Jechel
30.09.2021 - Olga Stepanova
30.06.2021 - Olga Stepanova