Order processing contract (AV contract) GDPR | IT-Medienrecht

Protect your data with an Order processing contract (AV contract) under GDPR. Learn all about legal requirements, purpose, and obligations for controllers…

Most Important Points Regarding Data Processing Agreements

Purpose and Scope of the Data Processing Agreement

A Data Processing Agreement (DPA) protects personal data. The General Data Protection Regulation (GDPR) mandates such agreements when a controller (the commissioning company) engages an external service provider. This applies if the service provider collects, uses, or stores personal data on the controller's behalf.

Typical examples include cloud services, hosting providers, newsletter dispatch services, analytics tools, or external payroll accounting. The DPA ensures that the service provider processes data only in accordance with the controller's instructions and within the scope of the GDPR.

Legal Requirements: Article 28 GDPR

Article 28 GDPR outlines the specific minimum points that a DPA must regulate. These provisions ensure comprehensive data protection:

Obligations of Controller and Processor

Concluding a DPA alone is not enough; both parties must continuously fulfill their agreed obligations.

Both parties should conclude the DPA in writing or text form. Although GDPR requires written form, electronic form is generally accepted. Proper archiving of these documents is also essential.

Consequences and Significance for Startups

Violating Article 28 GDPR by processing personal data through third parties without a necessary Data Processing Agreement can lead to severe consequences. Companies may face substantial fines, in serious cases up to EUR 10 million or 2% of annual global turnover. There is also a risk of claims for damages from data subjects if data breaches occur under data protection law.

It is therefore essential for startups to gain an early overview of all outsourced data processing. Typical services include web analytics, cloud hosting, external support, or marketing tools. For each of these, businesses must verify if a contractual relationship exists and if a DPA is required. Many large service providers offer pre-formulated DPA contracts, often available online. It is advisable to securely store these documents and regularly review whether data processing still aligns with the agreed framework.

Fazit

The Data Processing Agreement (DPA) is a critical component of GDPR compliance for any company engaging third-party service providers to handle personal data. It safeguards data, mitigates legal risks, and clarifies responsibilities between controllers and processors. Startups, in particular, must prioritize establishing and maintaining robust DPAs to avoid hefty fines and protect their reputation in a data-driven world.