Most important points

• An order processing contract (AV contract) is required in accordance with Art. 28 of the General Data Protection Regulation (GDPR) if a company (controller) commissions a service provider (processor) to process personal data.

• The contract regulates the rights and obligations of both parties with regard to data protection, in particular the controller’s authority to issue instructions and the processor’s data security obligations.

• The minimum contents include the subject matter and duration of the processing, type and purpose, type of personal data, categories of data subjects and the processor’s obligation to maintain confidentiality, technical and organizational measures (TOMs), subcontracting relationships and deletion of the data after the end of the contract.

• Without an AV contract, the transfer of data to the service provider violates the GDPR; there is a risk of fines and civil liability risks.

• Startups should check at an early stage where they use external service providers (e.g. cloud hosting, newsletter services) and conclude corresponding AV contracts.

Purpose and scope of application

The data processing agreement (DPA) serves to protect personal data when it is processed on behalf of the controller. As soon as a controller (the commissioning company) engages an external service provider who collects, uses or stores personal data on its behalf, the GDPR stipulates contractual guarantees for data protection. Typical examples: Cloud services, hosting providers, newsletter dispatch services, analytics tools or external payroll accounting. The DPA contract ensures that the service provider only processes data in accordance with the controller’s instructions and within the scope of the GDPR.

Legal requirements (Art. 28 GDPR)

Art. 28 GDPR sets out in detail the minimum points that a DPA must regulate:

• Purpose and duration of processing: What service is provided and for how long the data is processed.

• Type and purpose of processing: e.g. storage of customer data for sending newsletters.

• Type of personal data and categories of data subjects: e.g. contact details of customers.

• Obligations and rights of the controller: For example, the controller has a right to issue instructions and must be able to make use of this.

• Obligations of the processor: This includes, in particular, processing the data only in accordance with the documented instructions, obliging all persons who handle the data to maintain confidentiality and implementing suitable technical and organizational measures (TOMs) to protect the data (e.g. encryption, access restrictions).

• Subcontracting relationships: The processor may only engage further subcontractors with the approval of the controller and must contractually bind them in the same way.

• Support obligations: The processor must support the controller in complying with data subject rights (e.g. information, erasure) and obligations such as data protection impact assessments.

• Return/deletion: Once processing has been completed, the processor must delete or return all personal data at the controller’s discretion (unless there is a statutory retention obligation).

• Controls and evidence: The controller has the right to audit the processor’s data processing; the processor must be able to demonstrate compliance with the measures taken.

Obligations of the controller and processor

The conclusion of an AV contract alone is not sufficient – both parties must fulfill the agreed obligations on an ongoing basis:

• Controller: The controller remains the master of the data and must carefully select the processor (ensuring sufficient guarantees), clearly issue and document instructions and carry out checks/audits if necessary. It is also responsible for informing the data subjects and, if necessary, keeping a register of processing activities, which also records the commissioned processing.

• Processor: The processor may only use data as contractually agreed and in accordance with instructions, must keep security measures up to date and report data breaches to the controller (Art. 33 GDPR – obligation to report breaches). It must also provide all supporting activities (e.g. assistance with requests for information) without unreasonable delay.

Both parties should conclude the DPA in writing or in text form (GDPR requires written form, but electronic form is accepted) and archive it properly.

Consequences and significance for startups

If a company violates Art. 28 GDPR by having personal data processed by third parties without the necessary data processing agreement, it may face severe fines (in serious cases up to EUR 10 million or 2% of annual global turnover). There is also a risk of claims for damages from data subjects in the event of data breaches under data protection law.

It is therefore essential for start-ups to gain an overview of all outsourced data processing at an early stage. Typically, services such as web analytics, cloud hosting, external support service providers or marketing tools are used. For all of these, it must be checked whether a contractual relationship exists and whether a DP agreement is required. Most large service providers already offer pre-formulated AV contracts that only need to be concluded (often online). It is advisable to keep these documents in a safe place and to regularly check whether the processing is still taking place within the agreed framework.