With the introduction of the GDPR in May 2018, the directive on commissioned data processing previously known in the BDSG was renewed. This involves the conclusion of a contract (an AVV) with service providers or partners who process personal data by order. Accordingly, companies must proceed very carefully when selecting possible service providers and check their activities at regular intervals. In general corporate practice, these activities include, for example, the processing of payroll accounting, sales activities or the use of marketing and analysis tools. Thus, essential areas of cooperation with other companies are affected by this regulation.
What does such an order processing contract (AVV) look like?
According to Art. 28 para. 3 GDPR, such a contract must be concluded between the person responsible (the own company) and the contract processor (the service provider). This is a special provision of the GDPR, since the Basic Data Protection Regulation actually requires the consent of the data subjects when their data are processed. However, the establishment of commissioned processing contracts means that no further legal basis is required for the processing of personal data. However, the data subjects must be informed that such service providers are used and that the necessary contracts have been concluded. These contracts are of course subject to certain requirements. This is intended to prevent service providers who do not exercise the necessary diligence in processing personal data from being used. The contents of a GCU are, for example, the subject matter, the nature and purpose of the processing, as well as compliance with the rights of the data subjects and the obligations of both parties. Such a contract must be concluded in writing, whereby electronic form is also sufficient. Should data protection violations occur, the client must always ensure that the obligations arising from the GDPR are fulfilled. However, the service provider (processor) must support him in this. The processor must also take technical and organisational measures to make data processing secure.
When can an order processing contract be waived?
When processing personal data, a distinction must be made between whether a service provider is bound by instructions or whether independent contractors act responsibly and provide services from outside the field. Examples of such professional groups are tax consultants, banks, company doctors and lawyers. Due to the lack of being bound by instructions, there is no need to conclude a contract for processing orders.