.svg)
Who does the order processing agreement concern?
The definition of contract processor is defined in Article 4 No. 8 GDPR: The “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.
According to this definition, the topic of order processing concerns a large number of companies, but also private individuals who process personal data on behalf of them. IT service providers in particular are affected by the regulation, as the processing of data is part of the core business of electronic data processing, i.e. IT.
If the processor does not comply with its obligations under the GDPR, in the worst case scenario, he will be regarded as the person responsible in accordance with Article 28 (10). This also applies to the conclusion of a valid order processing contract, as the processing of personal data by the processor may only take place following documented instructions from the person responsible.
What must the order processing contract contain?
According to Article 28 (3), processing must be carried out by a processor on the basis of a contract with the person responsible. This agreement must contain detailed information on the following points:
- Subject and duration of processing
- Type and purpose of processing
- Type of personal data
- Categories of affected persons
- Duties and rights of the person responsible
Article 28 (3) also provides that the AVV also includes the contractor's technical and organizational measures (TOM) referred to in Article 32 GDPR Security of Processing.
Should the processor use other subcontractors to fulfill its mandate, the technical organizational measures of these contracted subcontractors must be integrated into its own TOMs. In addition, AVVs must be concluded with subcontractors.
The form of contract conclusion
Article 28 (9) GDPR stipulates that the AVV must be drafted in writing, which can also be done in an electronic format. This is the classic form of writing, i.e. a printed version of the contract with the signatures of the contracting parties, which are obtained by post.
The above-mentioned electronic format, on the other hand, is not to be understood as “electronic form” in the sense of Section 126a of the German Civil Code, but rather as an AVV, which is displayed in a file format. This would correspond to the text form within the meaning of Section 126b BGB.
If the text form is assumed to be used within the meaning of Section 126b BGB, the agreement in which the person of the declarant is named must be submitted on a durable data carrier. A durable data carrier is any medium which enables the recipient to store or store a declaration on the data carrier and is suitable for reproducing the declaration unchanged.
It is therefore generally possible to send the AV agreement as a PDF file by e-mail even without the registration of individual customer data. However, it is not enough if the AVV is only available on the website, as this is not suitable for reproducing the declaration unchanged. However, it is important that the name of the declarant is removed from the document sent so that the text form requirement is met.
The declaration that the customer agrees with the AVV can also be made electronically. Basically, there are no special features here. It is possible, among other things, to click on a checkbox, a declaration of consent by e-mail or in another unequivocal way. It is only important that the consent is adequately documented.
AVV as annex to AGB
From a geographical point of view, AVV can be added as an appendix to the terms and conditions, but the AVV is a separate agreement that requires express consent from the customer. On the other hand, it is reasonable to assume that, in accordance with Section 305c, surprising and ambiguous clauses, clauses regulating the order processing relationship, do not become part of the terms and conditions. Due to the formal requirement, it is also a good idea to make the AVV available for download as a separate PDF document.
The declaration of consent can also be obtained electronically as described above.
AVV obligation
The GDPR is clear in the need to agree on data processing. Only those who conclude an AVV can process data for a person responsible. Conversely, anyone who has data processed also needs an AVV. The obligation to conclude an AVV therefore applies to both parties, responsible persons and contract processors.
However, the GDPR does not provide for an exception here. If there is no AVV, then the cooperation should be finalized, because then data processing would be unlawful.
