Remote Maintenance and GDPR: Processing, DPA and Security Measures

Remote maintenance is, under the GDPR, usually processing on behalf under Art. 28: as soon as an external provider can access personal data during maintenance, you need a data processing agreement (DPA), appropriate technical and organisational measures (TOMs) under Art. 32, clean logging, a deletion concept and, with US providers, a legal basis for the third-country transfer. This article explains when the obligation applies, what belongs in the contract and how to implement it cleanly. It also separates data protection from the cybersecurity obligations of NIS2.

When remote maintenance is processing on behalf (Art. 28 GDPR)

Processing on behalf exists when a provider processes personal data for the controller under its instructions (Art. 28 GDPR). The German Data Protection Conference (DSK), the body of the independent supervisory authorities, set a clear line on this in short paper No. 13: IT remote maintenance is processing on behalf unless it is purely technical maintenance of the infrastructure with no data access.

What matters is the possibility of access, not actual access. Because the technician could technically reach employee or customer data during fault analysis, a remote session or support, the processing is covered. The line in practice:

• Processing on behalf (DPA required): remote maintenance of applications, databases, machine controllers or servers where personal data is visible or reachable.
• Not processing on behalf: purely technical infrastructure work with no data relation, for example on power supply, cooling or cabling.

A machine or plant builder that remotely services its equipment at the customer site is therefore almost always a processor, and the customer is the controller.

What the DPA must contain (Art. 28(3))

The agreement must be concluded in written or electronic form (Art. 28(9)) and cover the following minimum content. Without it the processing is formally unlawful, however good the technology.

Both parties must also list the processing in their record of processing activities under Art. 30.

Technical and organisational measures (Art. 32) for remote maintenance

Art. 32 GDPR requires a level of protection appropriate to the risk and to the state of the art, explicitly including encryption, the safeguarding of confidentiality, integrity, availability and resilience, and regular testing of effectiveness. For remote maintenance this translates into concrete measures:

• Encrypted connection instead of an open port: access through a secured tunnel or gateway, not a system directly reachable from the internet.
• Strong authentication: multi-factor authentication and central sign-on. Our article on SSO and MFA for remote access shows how to implement it.
• Least privilege (RBAC): each technician reaches only the systems the task requires, ideally time-limited with approval (just-in-time). Details in our guide to RBAC and audit for remote access.
• Logging: input and access control as a measure, traceable and tamper-evident.
• Currency: patched components and continuous vulnerability management.

The TOMs belong not only in reality but also as an annex to the DPA.

Third-party access, sub-processors and logging

It gets delicate when the provider itself brings in further third parties: a remote-maintenance tool as a cloud service, a subcontractor or a support partner abroad. Such sub-processors are only permitted with the controller's authorisation (Art. 28(2) and (4)), and the main processor must impose the same obligations on them. Every tool that processes data or session content has to be checked here.

In parallel, the accountability principle (Art. 5(2)) applies: you must be able to demonstrate who accessed which data and when. In practice this means a complete, tamper-evident audit log across all sessions, extended by session recording for critical systems. A central audit and logging system such as Wazuh consolidates this evidence. The same traceability is also the bridge to NIS2.

Deletion concept and storage limitation

Storage limitation (Art. 5(1)(e)) and the right to erasure (Art. 17) require that data is not kept longer than necessary. For remote maintenance that means:

• After the assignment ends: data and access are deleted or returned (Art. 28(3)(g)). Orphaned VPN access or maintenance accounts of former providers are a common and avoidable finding.
• Ongoing deletion periods: session recordings, logs and support tickets need defined retention and deletion periods, documented in a deletion concept.

Third-country transfer: the risk with US cloud remote maintenance

As soon as a US provider or its cloud can access the data, there is a transfer to a third country under Chapter V GDPR, even when the servers sit physically in the EU. You need a legal basis for it:

• Adequacy decision: the EU-US Data Privacy Framework (decision of 10 July 2023) permits transfer to DPF-certified US recipients. The framework is under scrutiny, though: the EU General Court dismissed the Latombe case (T-553/23) on 3 September 2025, an appeal to the CJEU is pending, and a renewed strike-down ("Schrems III") cannot be excluded.
• Standard Contractual Clauses (SCC): for non-certified recipients, combined with a transfer impact assessment (TIA) following the Schrems II judgment (C-311/18).

The core problem: US laws such as the CLOUD Act and FISA 702 compel US providers to disclose data even when it sits in the EU. Neither the DPF nor SCCs lift that obligation. The only technical measure the authorities regard as effective is strong encryption with sole key control inside the EU. The most robust route therefore remains operation in the EU with no data outflow into US hands.

GDPR and NIS2: two separate sets of obligations

Data protection and cybersecurity are often confused, but they are two distinct legal regimes that overlap for remote access:

Both apply in parallel: remote maintenance can be NIS2-compliant and still breach data protection if the DPA is missing. How to implement the cybersecurity side is covered in our article on NIS2-compliant remote access.

This article is general information and not legal advice. For a binding assessment of your obligations please consult qualified legal counsel; we are happy to support the technical implementation.

How WZ-IT implements this

We build sovereign remote-management platforms that map exactly these requirements in technology: access through a secured gateway instead of an open port, MFA and SSO, role-based and time-limited rights, a tamper-evident audit of all sessions, defined deletion periods, documented TOMs as a DPA annex, and operation in Germany without dependence on US cloud services. For ABCO Water Systems in Australia we run this secured remote access to distributed plants with role-based rights and a full audit trail.

Want to put your remote maintenance on a data-protection-compliant footing? Book a free initial consultation.