With the introduction of the GDPR in May 2018, the directive on order data processing previously known in the BDSG was renewed. This involves the conclusion of a contract (a AVV) with service providers or partners who process personal data on behalf of. Accordingly, companies must proceed very carefully when selecting possible service providers and review their activities at regular intervals. In general corporate practice, these processes are, for example, the processing of payroll accounting, sales activities or the use of marketing and analysis tools. This means that essential areas of cooperation with other companies are affected by this regulation.
What does such an order processing contract (GCU) look like?
Such a contract must be concluded between the person responsible (your own company) and the processor (the service provider) in accordance with Article 28 (3) GDPR. There is a special regulation of the GDPR here, as the General Data Protection Regulation actually requires the consent of the data subjects for the processing of their data. By establishing the Data processing agreements However, there is no need for any further legal basis for processing personal data. The data subjects must, however, be made aware that such service providers are being used and that the necessary contracts have been concluded. These contracts are of course subject to certain requirements. This is to avoid the fact that service providers who do not exercise the necessary care in processing personal data may not be used. Contents of a AVVs are, for example, the object, the type and the purpose of the processing as well as compliance with the rights of the data subjects and the obligations of both parties. Such a contract must be concluded in writing, whereby the electronic form is sufficient. If data protection violations occur, the client must always ensure that the obligations arising from the GDPR are fulfilled. However, the service provider (processor) must support him in this. The processor must also technical and organizational measures take to make data processing secure.
When can an order processing contract be waived?
When processing personal data, a distinction must be made between whether a service provider is bound by instructions or whether independent persons act responsibly and provide non-specialist services. Examples of such professions would be tax consultant, Banks, company doctors, and lawyers. Due to the lack of instructions, there is no need here Data processing contract complete.