Companies must conclude a contract for processing with many service providers in advance. According to the data protection supervisory authority from Berlin (BInBDI), the model contracts used for this are regularly illegal because they do not comply with Art. 28 of the GDPR.
You can find out what needs to be observed in order processing contracts (AVV contracts) here.
What is order processing?
The Processor is defined in Art. 4 No. 8 GDPR as any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. It must therefore be someone other than the controller and the person must act on behalf of the controller.
The processor is not itself the responsible party. He acts solely on the instructions of the controller. The controller remains responsible for compliance with data protection regulations.
The processor is bound by instructions vis-à-vis the controller. At the beginning of their business relationship, the processor and the controller conclude a so-called order processing agreement, which regulates the rights and obligations of the processor, in particular with regard to the personal data provided by the controller.
Model contracts for commissioned processing
Processors usually act for many different responsible parties at the same time. A common example of processors are service providers in the area of web hosting. To maintain the efficiency of their work, such service providers often use model contracts. These are templates in which usually only the name of the contracting party is adjusted. This may be advantageous for the business processes of the processors, but these templates often lack legality.
According to its own information, the data protection supervisory authority from Berlin (BInBDI) regularly receives inquiries from companies that want to use commissioned processing (mostly web hosting services). When selecting the appropriate service provider, these companies often find that the model contracts for commissioned processing used by this service provider do not meet the requirements of Art. 28 GDPR.
Review sample contracts
The data protection supervisory authority from Berlin (BInBDI) has used the example of Berlin companies to develop a Checklist for reviewing sample contracts for commissioned processing created. The basics of this list can be helpful for both affected data controllers and the respective processors. BInBDI also provides interested parties with the following information on the checklist Notes on use of this list to the hand.
In publishing these aids, BInBDI clarifies: "For the first time, the checklist provides a standard for AVV auditing that can also be used in other areas. We encourage all IT service providers to independently check their standard contracts and adapt them to the law. After all, heavy fines can be imposed not only on responsible parties who use IT service providers without a proper AVV contract, but also on the IT service providers themselves."
Do you want to design documents and processes in your company to be data protection compliant? Our team of experts is ready to help you in word and deed!