Data Processing Agreement (DPA) –
Why It Is Not Required
Legal assessment pursuant to GDPR · Version: March 2025
Legal Assessment
IDentity Center GmbH does not process personal data of end customers of business customers as part of the MeinDatensatz escrow service. A Data Processing Agreement pursuant to Art. 28 GDPR is therefore not required between IDentity Center GmbH and business customers for the escrow function. The following analysis sets out the reasoning based on the system design and applicable data protection law.
1. Scope of the GDPR
The GDPR applies, pursuant to Art. 2(1) GDPR, only to the processing of personal data. Under Art. 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person. The decisive question is whether the processing entity can, using reasonably available means, identify a natural person.
Recital 26 GDPR states:
"The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information."
The DPA obligation under Art. 28 GDPR requires that a processor processes personal data on behalf of a controller. If no personal data is processed, this obligation does not arise.
2. Technical Design of MeinDatensatz
The MeinDatensatz system is designed to ensure that IDentity Center GmbH has no access to identifiable personal data of end customers at any time:
End-to-end encrypted payload
All dataset content is stored exclusively as ciphertext (payload_cipher) using AES-256-GCM (libsodium). The dataset key is itself encrypted with a key derived from the end customer's passphrase (Argon2id / libsodium pwhash). The passphrase is never stored and is unknown to IDentity Center GmbH.
Export password: accessible only to the business customer and end customer
The password generated when creating an export file is accessible exclusively to the business customer. The end customer receives it only if the business customer discloses it via a separate channel. IDentity Center GmbH does not store this password under any circumstances and has no access to it.
Automatic sanitisation of log files
Log files are automatically sanitised of data passed as parameters before writing. Content that could contain personal or otherwise sensitive information never appears in any log entry. Logs contain only technical identifiers (tenant ID, dataset ID, event type, timestamp).
Audit logs contain no PII
Audit logs contain only technical identifiers (tenant ID, dataset ID, event type, timestamp) and no plaintext end-customer PII. End-customer IP addresses are not stored in audit logs.
3. Legal Conclusion
IDentity Center GmbH stores and processes, within the escrow function, only data that carries no personal reference with respect to the processor. The ciphertext cannot, using the current state of the art and with reasonable effort, be decrypted without the key — which the system does not hold. No auxiliary information enabling identification of end customers (in particular email addresses) is present in the system.
This assessment is consistent with Recital 26 GDPR, which provides that data protection principles do not apply to information anonymised in such a manner that the data subject is no longer identifiable, and with the positions of supervisory authorities on the assessment of encrypted data (cf. WP 136 Art. 29 Working Party; EDPB guidelines on pseudonymisation and encryption).
Since IDentity Center GmbH does not process personal data within the meaning of Art. 4(1) GDPR for business customers in this function, it is not a processor within the meaning of Art. 4(8) GDPR. The obligation to conclude a Data Processing Agreement under Art. 28 GDPR requires such processing of personal data and therefore does not arise in the relationship between IDentity Center GmbH and business customers for the escrow function.
Legal basis summary
- Art. 4(1) GDPRPersonal data – only applicable where the processing entity can identify a natural person.
- Art. 4(5) GDPRPseudonymisation – the system goes beyond pseudonymisation: without the passphrase, decryption is impossible.
- Recital 26 GDPRAnonymous information falls outside the scope of the GDPR.
- Art. 28 GDPRDPA obligation requires processing of personal data on behalf of a controller – which is not present here.
4. Distinction: Business Customer Data
This is to be distinguished from the registration and access data of business customers themselves (in particular names and email addresses of admin users), which MeinDatensatz processes in providing the service. IDentity Center GmbH processes this data as a controller, on the basis of the service agreement (Art. 6(1)(b) GDPR). No DPA is required for this, as it does not constitute processing on behalf of another controller. For details, see the Privacy Policy.
5. Business Customer's Data Protection Obligations
Although no DPA between the business customer and IDentity Center GmbH is required, the business customer as controller retains full data protection obligations towards its end customers:
- Ensuring a legal basis for processing end-customer data before upload (Art. 6 GDPR)
- Informing end customers about use of the escrow service in the business customer's own privacy policy
- Transmitting passphrases to end customers via a separate, GDPR-compliant channel (e.g. post, separate communication)
- Ensuring only lawfully processable data is uploaded
6. Contact for Data Protection Queries
For questions on the data protection classification of the service: