Star Wars stromtropper figurine on a desk
arrow pointing left

zurück

Legal

Data Processing in Business: Your Guide to Success

t-academy

|

Jan 17, 2020

·

6
MIN READ

  • The contract agreement is a necessary evil that affects companies in the area of data processing. In the worst case scenario, processing without a contract means liability for the processor as the person responsible for the processed data. The following article discusses order processing and which factors need to be considered when creating it from a practical point of view.

    The button takes you to a sample version of the order processing agreement, which you can adapt to your situation.

Get to know top.legalRequest process analysis

Inhaltsverzeichnis

Who does the order processing agreement concern?

The definition of contract processor is defined in Article 4 No. 8 GDPR: The “processor” is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

According to this definition, the topic of order processing concerns a large number of companies, but also private individuals who process personal data on behalf of them. IT service providers in particular are affected by the regulation, as the processing of data is part of the core business of electronic data processing, i.e. IT.

If the processor does not comply with its obligations under the GDPR, in the worst case scenario, he will be regarded as the person responsible in accordance with Article 28 (10). This also applies to the conclusion of a valid order processing contract, as the processing of personal data by the processor may only take place following documented instructions from the person responsible.

What must the order processing contract contain?

According to Article 28 (3), processing must be carried out by a processor on the basis of a contract with the person responsible. This agreement must contain detailed information on the following points:

  • Subject and duration of processing
  • Type and purpose of processing
  • Type of personal data
  • Categories of affected persons
  • Duties and rights of the person responsible

Article 28 (3) also provides that the AVV also includes the contractor's technical and organizational measures (TOM) referred to in Article 32 GDPR Security of Processing.

Should the processor use other subcontractors to fulfill its mandate, the technical organizational measures of these contracted subcontractors must be integrated into its own TOMs. In addition, AVVs must be concluded with subcontractors.

The form of contract conclusion

Article 28 (9) GDPR stipulates that the AVV must be drafted in writing, which can also be done in an electronic format. This is the classic form of writing, i.e. a printed version of the contract with the signatures of the contracting parties, which are obtained by post.

The above-mentioned electronic format, on the other hand, is not to be understood as “electronic form” in the sense of Section 126a of the German Civil Code, but rather as an AVV, which is displayed in a file format. This would correspond to the text form within the meaning of Section 126b BGB.

If the text form is assumed to be used within the meaning of Section 126b BGB, the agreement in which the person of the declarant is named must be submitted on a durable data carrier. A durable data carrier is any medium which enables the recipient to store or store a declaration on the data carrier and is suitable for reproducing the declaration unchanged.

It is therefore generally possible to send the AV agreement as a PDF file by e-mail even without the registration of individual customer data. However, it is not enough if the AVV is only available on the website, as this is not suitable for reproducing the declaration unchanged. However, it is important that the name of the declarant is removed from the document sent so that the text form requirement is met.

The declaration that the customer agrees with the AVV can also be made electronically. Basically, there are no special features here. It is possible, among other things, to click on a checkbox, a declaration of consent by e-mail or in another unequivocal way. It is only important that the consent is adequately documented.

AVV as annex to AGB

From a geographical point of view, AVV can be added as an appendix to the terms and conditions, but the AVV is a separate agreement that requires express consent from the customer. On the other hand, it is reasonable to assume that, in accordance with Section 305c, surprising and ambiguous clauses, clauses regulating the order processing relationship, do not become part of the terms and conditions. Due to the formal requirement, it is also a good idea to make the AVV available for download as a separate PDF document.

The declaration of consent can also be obtained electronically as described above.

AVV obligation

The GDPR is clear in the need to agree on data processing. Only those who conclude an AVV can process data for a person responsible. Conversely, anyone who has data processed also needs an AVV. The obligation to conclude an AVV therefore applies to both parties, responsible persons and contract processors.

However, the GDPR does not provide for an exception here. If there is no AVV, then the cooperation should be finalized, because then data processing would be unlawful.

Do you still need a template? You can now access our order processing agreement free of charge and adapt it to your wishes.

Request a Demo

Ausgewählte Artikel

Navigating Compliance in Contract Lifecycle Management (CLM) Software

Learn how organizations can efficiently manage contracts while complying with complex regulations. This article looks at Contract Lifecycle Management (CLM) software, its importance, key features, benefits and implementation strategies for regulatory compliance.

Andrea Carvajal

|

Apr 30

·

5
MIN READ
LESEN >
Contracts with checkboxes

Bureaucracy Relief Act IV — New opportunities for using electronic signatures in employment contracts

Discover how the Bureaucracy Relief Act IV simplifies the use of electronic signatures in employment contracts. Learn more about the legal changes and their impact on companies in Germany.

Alexander Baron

|

Apr 24

·

7
MIN READ
LESEN >
image of the German Reichtag in top.legal green

Mehr zum Thema effizientere Vertragsprozesse

How to Manage Contracts Efficiently in 2024: A Guide

Would you like to find out how to set up a successful contract management system? From choosing the appropriate software to evaluating its effectiveness, there are decisive steps that can significantly influence your results.

Andrea Carvajal

|

Mar 21

·

5
MIN READ
LESEN >

AI in Contract Management: What Are the Benefits and Opportunities?

Tony Dang

|

Apr 3

·

3
MIN READ
LESEN >

How to Measure Contract Performance Efficiently in 2024

This article addresses the intricacies of measuring contract performance and provides insights into effective strategies, key performance indicators (KPIs), and the technology tools that make this important task easier. Whether you're an experienced contract manager or a novice in the field, our research will give you a full understanding of how you can evaluate and improve the results of your contractual obligations to ensure mutual success for all parties involved.

|

·

5
MIN READ
LESEN >

Ready to start?

Find out how top.legal increases the efficiency of your company.

Demo anfordernVertragsprozesse analysieren
illustrated arrows Illustrated pencil strokesillustrated pencil strokesillustrated pattern of dots.