Specific contractors need to be licensed

GDPR order processing: what is it and what does it concern me?

 

Table of Contents:

  1. Order data processing: what is that anyway?
  2. Who is affected by the regulations on order data processing?
  3. What are personal data?
  4. Don't the external service providers have to worry about data protection?
  5. What happens if I do not conclude an order data processing contract?
  6. What happens to service providers from abroad?
  7. Contract data processing contracts: what must be regulated there?
  8. Can I use a sample contract for order data processing?
  9. Isn't it enough if I appoint a data protection officer?
  10. Do I have to mention order data processing in my data protection declaration?
  11. What exactly will change in order processing as a result of the GDPR?
  12. Checklist

1. Order processing: what is that anyway?

Short version:(Almost) always when other companies Access to your customers' data have, are you in the field of order processing (old name: order data processing) and have to do a AV contract (old name ADV contract).

Order data processing was legally regulated before the GDPR in Section 11 BDSG (Federal Data Protection Act). The corresponding regulations can now be found in Art. 28 GDPR.

display

Through the GDPR have been in effect since May 2018 many points in the area of ​​data protection and AV (old designation ADV) have been reorganized.
You must conclude an AV contract (old name ADV contract) if you:

  • Use Google Analytics or other tracking software
  • Use external service providers for your newsletters and marketing campaigns
  • Assign external companies to do the accounting / payroll
  • Outsource all or part of your data center
  • Use remote maintenance systems

What is order processing (AV)?

A characteristic of order processing (old name: order data processing) is that a company (client) commissions external service providers (contractors) to process personal data subject to instructions. The responsibility for the proper data processing remains with the client, he is the main person responsible for data protection. The external service provider only provides support in order processing (old name: order data processing); he is practically the "extended arm" of his client.

There is an order processing (old name: order data processing) among others in the following cases:

  • An external data center is commissioned to carry out the payroll accounting.
  • A call center collects data from the client's customers.
  • A marketing agency processes customer data in order to create statistics or a newsletter.

There is no order processing (old name: order data processing) in the case of a so-called function transfer. The exact demarcation between order processing (old name: order data processing) and the transfer of functions is not always clear for many services. However, you can remember that the external service provider is not bound by instructions in the context of a transfer of functions, but can freely decide what to do with the company's data and has its own interest in the company's data.

A transfer of functions is therefore present, for example, if a service provider rents company vehicles for his client or a debt collection company enforces the claims of his client.

2. Who is affected by the order processing regulations?

In almost every company, commissioned data processing is used - and often the companies concerned do not even know anything about it. All too often, companies overlook Section 11 (5) of the Federal Data Protection Act (BDSG), which enormously expands the scope of order processing (old name: order data processing). According to this, the regulations for order processing (old name: order data processing) also apply in the context of maintenance and inspection contracts, if access to personal data cannot be excluded.

The order processing (old name: order data processing) also includes, for example, the following cases according to the GDPR:

  • A company hires a programmer to install, maintain, review and correct software.
  • A company commissions an IT service provider to check, repair or replace hardware.
  • A company hires an external service provider to shred files.

The mere possibility of data access by the contractor is sufficient. So it does not matter whether the contracted service provider actually accesses the data.

That means: As soon as an external service provider has any possibility of accessing personal data within the framework of an order, a detailed check should be made to determine whether the order processing regulations (old name: order data processing) apply.

3. What are personal data?

The regulations on order processing (old name: order data processing) only apply if the data is personal data. But when is data actually personal? The Federal Data Protection Act defines personal data as individual details about personal or factual circumstances of a specific or identifiable natural person (Section 3 (1) BDSG old / Article 4 GDPR).

That means: All information that can be somehow linked to a person also falls under the concept of personal data. The following data are therefore personal:

  • Name and address,
  • E-mail address,
  • Phone number and
  • Account details.

So if customers have to register for a newsletter with their email address, the email addresses are personal data. A login name is also personal if it is linked to a real name or email address. Even IP addresses that are collected by Google Analytics, for example, represent personal data if the provider of online services has legal means to identify the persons behind the IP address (see ECJ, judgment of October 19, 2016 ( C-582/14).

4. Don't the external service providers have to worry about data protection?

No. The commissioning company must not rely on the service provider to comply with data protection law. The client has to take care of data security himself, he is the main person responsible for data protection.

To meet this responsibility, the parties must conclude a contract before the start of order processing (old name: order data processing), the content of which is precisely specified by data protection law in Art. 28 GDPR (previously Section 11 Paragraph 2 Sentence 2 BDSG).
In addition, the client must check at regular intervals whether the contractor complies with the requirements of the Federal Data Protection Act. He can do this

  • Carry out on-site inspections,
  • obtain the certificate of an expert,
  • obtain the report of your own data protection officer or
  • obtain written information from the contractor.

The data protection act leaves open which specific measures the commissioning company must take and at what time intervals controls must be carried out. In particular, the extent of the data processing, the risk potential for those affected and the sensitivity of the data processed are decisive.

That means: If a company allows a PR agency to access millions of customer data in order to develop a new marketing strategy, regular on-site inspections will be necessary. If, on the other hand, the PR agency is commissioned by a small company that has only stored 100 customer data, written information from the contractor should generally suffice.

Important: The controls must be recorded. First, this is prescribed by the law. Second, in the event of a dispute, this is the only way to prove to the competent supervisory authority that an inspection has actually taken place.

5. What happens if I do not conclude an order processing contract (old name: order data processing)?

If the company has not concluded a contract with the external service provider that meets the requirements of Section 11 (2) sentence 2 BDSG / Art. 28 GDPR, it can quickly become really expensive. According to § 43 Abs. 1 Nr. 2b, Abs. 3 BDSG, the responsible supervisory authorities could impose fines of up to 50,000 euros if the order for data processing is "incorrectly, incompletely or not in the prescribed manner". According to the GDPR, there are now fines of up to 20 million euros.

That means: If the parties have not concluded an order processing contract (old name: order data processing) or if it does not meet the requirements of Art. 28 GDPR (previously Section 11 (2) sentence 2 BDSG), the responsible supervisory authority can ask the company to pay. The conclusion of a contract for order processing (old name: order data processing) should therefore be high on the agenda.

In addition, the persons whose data are affected can also claim damages from the client and contractor. Both parties have the opportunity to prove their innocence and thus prevent liability to pay compensation. To do this, they have to prove that they are in no way responsible for the circumstance that caused the damage.

The following applies to the commissioning company: If the company has not concluded an order processing contract with the external service provider (old name: order data processing), proof of innocence will hardly be possible.

6. What happens to service providers from abroad?

If a company collects data domestically, it may only be transferred abroad without the consent of the data subjects or legal permission if they are member states of the EU or the European Economic Area (see Section 3 (8) sentence 3 BDSG). Order processing (old name: order data processing) in third countries (e.g. in the USA) is only permitted if and to the extent that the BDSG allows it (see, inter alia, § 28 BDSG),

  • a special legal regulation allows this,
  • the person concerned has voluntarily and consciously and clearly consented to the data processing in accordance with Section 13 (2) of the Telemedia Act (TMG).

The result: If a marketing company in the USA is to be commissioned with the creation of a newsletter and is given access to the customer data, it needs the consent of all persons to whom the data belongs.

7. Contracts for order processing (old name: order data processing): What must be regulated there?

What exactly has to be regulated in the contracts for order processing (old name: order data processing) is now described in Article 28 GDPR (previously Section 11 (2) sentence 2 BDSG). According to this, an agreement on data processing on behalf must contain provisions on the following 10 points:

  • the subject matter and duration of the assignment,
  • the scope, type and purpose of the intended collection, processing or use of data,
  • the type of data and the group of data subjects,
  • the technical and organizational measures to be taken in accordance with Art. 32 GDPR,
  • the correction, deletion and blocking of data,
  • the existing obligations of the contractor, in particular the controls to be carried out by him,
  • any authorization to establish subcontracting relationships,
  • the control rights of the client and the corresponding tolerance and cooperation obligations of the contractor,
  • Violations to be reported by the contractor or the persons employed by him against regulations for the protection of personal data or against the specifications made in the order,
  • the scope of the authority to issue instructions that the client reserves against the contractor,
  • the return of data carriers provided and the deletion of data stored by the contractor after completion of the order.

8. Can I, as an agency, use a sample contract for order processing (old name: order data processing)?

For example, if you as an agency manage Google Analytics data, Facebook pages or Facebook Audiences data for your customers, you must conclude an AV contract (old name ADV) with Google.

Since the GDPR became binding on May 25, 2018, the General Data Protection Regulation (GDPR) has become directly applicable law in all member states. There is only one uniform set of rules for the protection of personal data across the EU.

The order processing (old name: order data processing) will then be regulated in § 28 GDPR. The previous legal situation is changing. Many free samples on the net should no longer meet these requirements.

Practice tip:

As an agency, hoster and web designer, simply use eRecht24 Premium. There you will also find a legally secure template for an AV contract prepared by a lawyer.

9. Isn't it enough if I appoint a data protection officer?

Unfortunately, simply appointing a data protection officer is not enough. The Data Protection Act writes the Conclusion of a contract for order processing (old name: order data processing) mandatory - and proven to be fines - before. However, the commissioning company must regularly check whether the service provider is also complying with the data protection requirements. The company can meet this obligation by sending its own data protection officer to check the data security of the contractor.

Under certain circumstances, the external service provider may also be obliged to appoint a data protection officer. If there is such an obligation, the client and the contractor must also regulate this in the contract for order processing ((old name: order data processing). In which cases the external service provider must appoint a data protection officer, § 4f (1) sentence 3 BDSG now applies Article 38 GDPR:

The appointment of a data protection officer is mandatory if a company usually employs at least 10 people to process personal data.

That means: If, for example, a PR agency processes customer data in order to develop a new marketing strategy and if 10 or more employees or freelancers work for this agency, the agency must appoint a data protection officer. The obligation to appoint a data protection officer must also be regulated in the contract for order processing (old name: order data processing). In addition, the commissioning company must check that the external service provider actually fulfills its obligations and appoints a data protection officer.

10. Do I have to mention order processing (old name: order data processing) in my data protection declaration?

 

In the context of order processing (old name: order data processing), an external service provider (such as Google for Google Analytics) processes the user's personal data as an “extended arm” of the company. The commissioning company should definitely point this out in the data protection declaration. If there is no reference to the processing of the data in the data protection declaration, it can get really expensive: Data protection authorities can punish data protection violations with a fine of up to 20 million euros. In addition, the client is threatened with warnings from competitors under competition law.

11. What changes in order processing (old name: order data processing) due to the GDPR?

Since May 25, 2018, all companies that have their data processed by order have to comply with the provisions of the GDPR.

The General Data Protection Regulation, which has been in force in full and uniformly in the European Union since May 2018, has made website operators and especially shop operators and service providers increasingly responsible. The GDPR gives consumer data protection a greater priority than it has so far experienced through national regulations and standardizes the requirements that must be complied with when processing so-called personal data.

The previous legal situation in Germany for order processing (old name: order data processing) has undergone some important changes with the GDPR.

11.1 Overview of the new regulations through the GDPR

Article GDPR contains a whole catalog of regulations for order processing (old name: order data processing). The existing regulations in § 11 BDSG are supplemented by this. In particular, come the following new regulations for clients and contractors:

  • It is called "order processing", no longer "order data processing"
    The first change is of a purely linguistic nature. The "order data processing (ADV)" becomes the "order processing (AV)".
  • Reference to subcontractors
    Unlike the BDSG, the GDPR stipulates that contractors may only use subcontractors if the client has given written permission to do so. In addition, the commissioning company must be given the right to object at any time.
  • Confidentiality obligation
    The contractor must ensure that the persons authorized to process the personal data have committed themselves to confidentiality.
  • Support of the client
    The contractor has to undertake to support the commissioning company if those affected assert their rights under the GDPR.
  • No obligation to conclude AV contracts (old designation ADV contracts) in writing
    AV contracts (old designation ADV contracts) can now also be concluded electronically with the GDPR.
  • New rules on fines
    The GDPR also provides for much higher fines in the area of ​​order processing (old name: order data processing) than was previously the case under the BDSG.

 

11.2 Order processing and GDPR: What does this mean in concrete terms for website operators, hosts, designers and agencies?

Order processing plays a special role in the application of the GDPR. This was previously referred to as order data processing, but has been given a new name by Art. 28 GDPR.

Order processing (short: AV) in the sense of the General Data Protection Regulation means the collection, processing or use of personal data by third parties. This lies among other things. then when the user's data is passed on by the website operator - for example to external service providers who take on certain tasks for the operator (so-called outsourcing). This happens regularly as part of

  • Wage, salary and personnel management
  • Invoice and receivables management
  • Hosting and server contracts
  • Software contracts
  • Use of cloud services
  • E-mail agreements.

Since the GDPR the Consumer protection comes into focus, this protection must also be taken into account with the AV (old designation ADV), because this enables access to the data of customers or users. GDPR-compliant outsourcing requires that you regulate the transfer of personal data from your customers or users in special contracts.

These contracts for order processing (old name: order data processing) between you as the client and the external service provider as the contractor were previously regulated in § 11 BDSG. The GDPR creates requirements that go beyond the previous regulation, so that you, as the website operator, have to review the existing contracts - and replace old contracts as soon as necessary.

For a GDPR-compliant AV (old name ADV) between you and the contractor, the following content is particularly important:

  • Content of the processing activity
  • Duration of the processing activity
  • Manner of processing activity
  • Type and category of the data concerned
  • Scope of the authority to issue instructions
  • Existence of a confidentiality obligation
  • Existence of the technical and organizational framework according to Art. 32 GDPR
  • Regulations for external service providers and subcontractors
  • Clauses on participation in the data subjects' rights to information and the associated reporting obligation
  • The contractor's duty to provide information on compliance with the rules and regulations
  • Handling of the return and / or deletion of personal data after the processing activity has ended
  • Extent of participation in controls and reviews.

Important for you as a client: In the event of data protection violations, you are the first point of contact for the person or parties concerned, even under the provisions of the GDPR. However, the GDPR goes further in terms of liability than the Federal Data Protection Act: According to Art. 82 GDPR, the client and the contractor are jointly liable to the person concerned. The contractor's liability is limited to violations resulting from the breach of his obligations under the specific AV (old designation ADV).

11.3 How do I go about switching to GDPR-compliant order processing (old name: order data processing)?

So that you are on the legally safe side after May 25, 2018, a review of existing AV (old name ADV) is urgently required. Check these in relation to the framework conditions and criteria listed above and conclude new contracts if old contracts do not meet the legal requirements.

Our list of the most important companies that are relevant in the context of online shops and internet services can be of great help.

Order processing (old name: order data processing) by provider

Order processing (old name: order data processing) through newsletter services

Order processing (old name: order data processing) by Google

  • Google Analytics: You can find the current Google Analytics AV contract (old designation ADV contract) when you log into your Google Analytics account under Administration -> Account settings, you will find the "Addition for data processing" there.

Practical tip: As an entrepreneur, you have a duty to ensure the protection of user data. Of course, this requires the involvement of external service providers - take action and talk to your partners about the subject of GDPR-compliant order processing (old term order data processing).

As a shop or website operator, you should carefully examine your outsourced processing activities and ask the respective partners: Contracts that do not meet the requirements of the GDPR always violate the European directive and can result in fines and sanctions.

New according to GDPR: no more written form required

The GDPR also contains an important relief for companies when concluding an AV contract (old name ADV contract): These contracts no longer have to be printed out, signed and sent by post. The GDPR now also allows the conclusion to be made electronically.

Providers who conclude AV contracts (old designation ADV contracts) with their customers can also make them available online from May 25, 2018. It is important, however, that the conclusion of the contracts and the assignment to a specific customer must still be documented in a legally secure manner.

For example, Google has already implemented this electronic contract for Google Analytics:

If you log into your Google Analytics account under Administration -> Account settings, you will find the "Addition for data processing" there.

New regulations on fines through the GDPR

If the agreement for order (data) processing does not meet the requirements of the GDPR, companies commit an administrative offense which, according to Art. 83 Para. 4 lit. a GDPR, is subject to a fine of up to 10 million euros or up to 2% of the total annual turnover achieved worldwide in the previous financial year can be penalized.

Practical tip: At eRecht24 Premium you will find agency and web designer a sample AV contract (old name ADV contract) that you can conclude with your customers.

12. Checklist for order (data) processing

Conclude an AV contract!

Companies that pass on customer data to external service providers for processing must conclude a written AV contract (old name ADV contract), the content of which is specifically specified by the GDPR.

Log the control!

The contracting company must check that the contractor complies with data protection law. To this end, he can carry out on-site inspections, obtain the certificate of an expert, obtain the report of his own data protection officer or obtain written information from the contractor. The controls are to be recorded.

Attention to contractors abroad!

An AV contract (old name ADV contract) with providers outside the EU (so-called third countries) is hardly possible at the moment. Here you often need a legal regulation that allows this or the data subjects have to consent to the data processing.

Note on order processing!

Reference should be made to order processing (old name: order data processing) in the data protection declaration.

Check sample contracts!

Before using sample contracts for order processing (old name: order data processing), it should be checked whether they comply with the current legal situation and the GDPR that has been in force since May 2018.

AV contract with eRecht24-Premium