Star Wars stromtropper figurine on a desk
Legal

Data Processing in Business: Your Guide to Success

Table of Contents

The contract agreement is a necessary evil that affects companies in the area of data processing. In the worst case scenario, processing without a contract means liability for the processor as the person responsible for the processed data. The following article discusses order processing and which factors need to be considered when creating it from a practical point of view.

The button takes you to a sample version of the order processing agreement, which you can adapt to your situation.

Who does the order processing agreement concern?

The definition of contract processor is defined in Article 4 No. 8 GDPR: The “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

According to this definition, the topic of order processing concerns a large number of companies, but also private individuals who process personal data on behalf of them. IT service providers in particular are affected by the regulation, as the processing of data is part of the core business of electronic data processing, i.e. IT.

If the processor does not comply with its obligations under the GDPR, in the worst case scenario, he will be regarded as the person responsible in accordance with Article 28 (10). This also applies to the conclusion of a valid order processing contract, as the processing of personal data by the processor may only take place following documented instructions from the person responsible.

What must the order processing contract contain?

According to Article 28 (3), processing must be carried out by a processor on the basis of a contract with the person responsible. This agreement must contain detailed information on the following points:

  • Subject and duration of processing
  • Type and purpose of processing
  • Type of personal data
  • Categories of affected persons
  • Duties and rights of the person responsible

Article 28 (3) also provides that the AVV also includes the contractor's technical and organizational measures (TOM) referred to in Article 32 GDPR Security of Processing.

Should the processor use other subcontractors to fulfill its mandate, the technical organizational measures of these contracted subcontractors must be integrated into its own TOMs. In addition, AVVs must be concluded with subcontractors.

The form of contract conclusion

Article 28 (9) GDPR stipulates that the AVV must be drafted in writing, which can also be done in an electronic format. This is the classic form of writing, i.e. a printed version of the contract with the signatures of the contracting parties, which are obtained by post.

The above-mentioned electronic format, on the other hand, is not to be understood as “electronic form” in the sense of Section 126a of the German Civil Code, but rather as an AVV, which is displayed in a file format. This would correspond to the text form within the meaning of Section 126b BGB.

If the text form is assumed to be used within the meaning of Section 126b BGB, the agreement in which the person of the declarant is named must be submitted on a durable data carrier. A durable data carrier is any medium which enables the recipient to store or store a declaration on the data carrier and is suitable for reproducing the declaration unchanged.

It is therefore generally possible to send the AV agreement as a PDF file by e-mail even without the registration of individual customer data. However, it is not enough if the AVV is only available on the website, as this is not suitable for reproducing the declaration unchanged. However, it is important that the name of the declarant is removed from the document sent so that the text form requirement is met.

The declaration that the customer agrees with the AVV can also be made electronically. Basically, there are no special features here. It is possible, among other things, to click on a checkbox, a declaration of consent by e-mail or in another unequivocal way. It is only important that the consent is adequately documented.

AVV as annex to AGB

From a geographical point of view, AVV can be added as an appendix to the terms and conditions, but the AVV is a separate agreement that requires express consent from the customer. On the other hand, it is reasonable to assume that, in accordance with Section 305c, surprising and ambiguous clauses, clauses regulating the order processing relationship, do not become part of the terms and conditions. Due to the formal requirement, it is also a good idea to make the AVV available for download as a separate PDF document.

The declaration of consent can also be obtained electronically as described above.

AVV obligation

The GDPR is clear in the need to agree on data processing. Only those who conclude an AVV can process data for a person responsible. Conversely, anyone who has data processed also needs an AVV. The obligation to conclude an AVV therefore applies to both parties, responsible persons and contract processors.

However, the GDPR does not provide for an exception here. If there is no AVV, then the cooperation should be finalized, because then data processing would be unlawful.

Do you still need a template? You can now access our order processing agreement free of charge and adapt it to your wishes.

Request a Demo

Selected Articles

Framework Agreement: Definition, Benefits and Use in the Company

Ein Rahmenvertrag ist ein langfristiger Vertrag zwischen zwei oder mehr Parteien, der die grundlegenden Bedingungen für eine Reihe zukünftiger Einzelverträge festlegt​. Er steht meist am Beginn einer auf Dauer angelegten Geschäftsverbindung und enthält die Konditionen für erst zukünftig abzuschließende Verträge​. Anstatt jeden Auftrag in einem eige

‍ Digital Word Signature: How to Insert an Electronic Signature in Microsoft Word

Sign documents easily with digital signatures in Microsoft Word. Safe, legal and efficient — learn how to add your signature today!

digital signature

More About More Efficient Contract Processes

Contract Lifecycle Management: A Complete Guide to Streamlining Contracts

Managing contracts doesn't have to be messy. This guide explains Contract Lifecycle Management (CLM) and shows how it simplifies workflows, reduces risks, and helps companies stay ahead of the pack.

Circulation Resolution Explained: Definition, Procedure and Examples

Circulating decisions make it possible to adopt decisions efficiently and without meetings by following a clear procedure with legal requirements and practical applications.

The Rise of Online Contracts: Why Businesses Are Going Digital

Print, scan and send contracts? That is no longer up to date. Online contracts make signing and managing contracts seamless, secure, and fast. See why companies are making the switch.

Ready to start?

Find out how top.legal increases the efficiency of your company.

Illustrated pencil strokesillustrated pattern of dots.