Star Wars stromtropper figurine on a desk
arrow pointing left

zurück

Legal

Data Processing in Business: Your Guide to Success

t-academy

|

Jan 17, 2020

·

6
MIN READ

Table of Contents

Get to know top.legalRequest process analysis

The contract agreement is a necessary evil that affects companies in the area of data processing. In the worst case scenario, processing without a contract means liability for the processor as the person responsible for the processed data. The following article discusses order processing and which factors need to be considered when creating it from a practical point of view.

The button takes you to a sample version of the order processing agreement, which you can adapt to your situation.

Who does the order processing agreement concern?

The definition of contract processor is defined in Article 4 No. 8 GDPR: The “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

According to this definition, the topic of order processing concerns a large number of companies, but also private individuals who process personal data on behalf of them. IT service providers in particular are affected by the regulation, as the processing of data is part of the core business of electronic data processing, i.e. IT.

If the processor does not comply with its obligations under the GDPR, in the worst case scenario, he will be regarded as the person responsible in accordance with Article 28 (10). This also applies to the conclusion of a valid order processing contract, as the processing of personal data by the processor may only take place following documented instructions from the person responsible.

What must the order processing contract contain?

According to Article 28 (3), processing must be carried out by a processor on the basis of a contract with the person responsible. This agreement must contain detailed information on the following points:

  • Subject and duration of processing
  • Type and purpose of processing
  • Type of personal data
  • Categories of affected persons
  • Duties and rights of the person responsible

Article 28 (3) also provides that the AVV also includes the contractor's technical and organizational measures (TOM) referred to in Article 32 GDPR Security of Processing.

Should the processor use other subcontractors to fulfill its mandate, the technical organizational measures of these contracted subcontractors must be integrated into its own TOMs. In addition, AVVs must be concluded with subcontractors.

The form of contract conclusion

Article 28 (9) GDPR stipulates that the AVV must be drafted in writing, which can also be done in an electronic format. This is the classic form of writing, i.e. a printed version of the contract with the signatures of the contracting parties, which are obtained by post.

The above-mentioned electronic format, on the other hand, is not to be understood as “electronic form” in the sense of Section 126a of the German Civil Code, but rather as an AVV, which is displayed in a file format. This would correspond to the text form within the meaning of Section 126b BGB.

If the text form is assumed to be used within the meaning of Section 126b BGB, the agreement in which the person of the declarant is named must be submitted on a durable data carrier. A durable data carrier is any medium which enables the recipient to store or store a declaration on the data carrier and is suitable for reproducing the declaration unchanged.

It is therefore generally possible to send the AV agreement as a PDF file by e-mail even without the registration of individual customer data. However, it is not enough if the AVV is only available on the website, as this is not suitable for reproducing the declaration unchanged. However, it is important that the name of the declarant is removed from the document sent so that the text form requirement is met.

The declaration that the customer agrees with the AVV can also be made electronically. Basically, there are no special features here. It is possible, among other things, to click on a checkbox, a declaration of consent by e-mail or in another unequivocal way. It is only important that the consent is adequately documented.

AVV as annex to AGB

From a geographical point of view, AVV can be added as an appendix to the terms and conditions, but the AVV is a separate agreement that requires express consent from the customer. On the other hand, it is reasonable to assume that, in accordance with Section 305c, surprising and ambiguous clauses, clauses regulating the order processing relationship, do not become part of the terms and conditions. Due to the formal requirement, it is also a good idea to make the AVV available for download as a separate PDF document.

The declaration of consent can also be obtained electronically as described above.

AVV obligation

The GDPR is clear in the need to agree on data processing. Only those who conclude an AVV can process data for a person responsible. Conversely, anyone who has data processed also needs an AVV. The obligation to conclude an AVV therefore applies to both parties, responsible persons and contract processors.

However, the GDPR does not provide for an exception here. If there is no AVV, then the cooperation should be finalized, because then data processing would be unlawful.

Do you still need a template? You can now access our order processing agreement free of charge and adapt it to your wishes.

Request a Demo

Selected Articles

Contract Database: Benefits, Features and Tips

Managing contracts can feel like juggling a hundred different tasks at once. If you're still relying on spreadsheets, filing cabinets, or piles of paper to manage your contracts, you're probably very aware of the chaos that can result.

Andrea Carvajal

|

Dec 25

·

MIN READ
READ >

Effektiv verhandeln: Ein vollständiger Leitfaden mit Checkliste

Verhandlungen sind das Herzstück von B2B-Transaktionen, da sie die Bedingungen und Ergebnisse von Geschäftsabschlüssen direkt beeinflussen. In einem wettbewerbsintensiven Markt müssen Unternehmen ein Gleichgewicht zwischen dem Schutz ihrer Interessen und der Förderung langfristiger Partnerschaften finden, was Verhandlungen zu einem entscheidenden

|

Oct 10

·

MIN READ
READ >
a group of professionals negotiating with each other

More About More Efficient Contract Processes

Contract Management Training Courses: Overview of Career Development

Contracts are the backbone of many business relationships and often determine the success or failure of a project. The ability to effectively manage contracts is therefore invaluable. Contract management Continuing education can not only improve your overall professional skills but also significantly increase your career opportunities.

Tony Dang

|

Jul 11

·

7
MIN READ
LESEN >

Standard Contractual Clauses: Definition and Relevance in Data Privacy

Data protection and data privacy are becoming increasingly important in today's digital era. Standard Contractual Clauses (SCCs) are an essential part of international data protection case law.

Tony Dang

|

Sep 4

·

7
MIN READ
LESEN >

The Different Types of Service Level Agreements

Service Level Agreements (SLAs) sind Verträge, die zwischen Dienstleistern und ihren Kunden geschlossen werden, um die Erbringung und Qualität von Dienstleistungen festzulegen. SLAs dienen als wesentliches Werkzeug zur Sicherstellung einer hohen Servicequalität und klaren Erwartungen zwischen den beteiligten Parteien.

Tony Dang

|

Jul 5

·

MIN READ
LESEN >

Ready to start?

Find out how top.legal increases the efficiency of your company.

Request DemoAnalyze Contract Processes
illustrated arrows Illustrated pencil strokesillustrated pencil strokesillustrated pattern of dots.