Data processing agreement: data protection and customer trust

In the digital world, the protection of personal information is more important than ever. Companies that process personal data are faced with the challenge of not only increasing the efficiency of their services, but also protecting the privacy of their employees. Privacy of their customers.

A key element in this endeavor is the data processing agreement (DPA). In this article, we explain why this contract is a central pillar for data protection in the digital economy and how it contributes to a secure and trusting environment for companies and consumers.

We are an agency partner of eRecht24, where you can obtain legally compliant sample contracts, e.g. for AV contracts, or the eRecht24 Premium Generatorwhich you can use to create a privacy policy, legal notice, cookie consent, etc. and many other options for a secure company.

What is a data processing agreement and is it so important?

Imagine a company wants another company to help them work with customer information - for example, storing email addresses or managing customer orders.

In the European Union, there are strict rules to protect this information, known as "General Data Protection Regulation", short "GDPR".
To ensure that everything runs according to the rules, these two companies must conclude a special contract: the order processing contract.

Simply put, this contract is an important document that contains clear instructions on how the personal data of customers may be handled. It ensures that the information is processed securely and in accordance with the law. This is particularly important when a company uses an external service provider to handle sensitive customer data. The contract specifies exactly what happens to the data may be made and ensures that both parties take data protection regulations seriously.

What does order processing mean?

As soon as companies outsource services that involve access to customer data, they move into the area of so-called Job processing.
But what exactly does that mean? Put simply, commissioned processing occurs when personal data is collected, processed or forwarded by an external service provider on behalf of and in accordance with the instructions of the company.

This service provider, which is responsible for data processing, is also referred to as the Processor is designated. The main responsibility for the secure and correct processing of the data remains with the company itself, which commissions the processing. In this context, the service provider acts in a supporting capacity and may Do not use data for your own purposes.

Personal data includes all information that can uniquely identify a person, such as names, addresses, account details or private telephone numbers. Even email addresses or login names are considered personal data if they have a direct link to a real person.

Data security and the protection of privacy are therefore the focus. Not only companies that collect data directly, but also those that commission third parties to process data must strictly adhere to the GDPR. In order to meet these requirements, it is necessary for the client and processor to conclude a data processing agreement.

When is order processing involved?

In today's business world, where data plays a major role, it often happens that companies outsource certain tasks related to the processing of this data to external service providers.
Sometimes it is not entirely clear when you enter the area of commissioned processing. We have provided some examples for you in the following list.

• Outsourcing payroll accounting
  You hand over responsibility for your company's payroll accounting to a payroll office.
• Check customer satisfaction
  A call center conducts a customer satisfaction survey on your behalf.
• Transferring marketing tasks
  You commission an agency to create statistics or send out newsletters for your customers, for example.
• Software support
  A programmer takes care of the installation, maintenance and updating of your software.
• Web hosting
  Your website is hosted by an external provider.
• IT support
  An IT service provider will carry out repairs or replace hardware for you.
• Document disposal
  You outsource the destruction of files to a specialized service provider.

Interestingly, the external service provider, such as the call center or marketing agency, does not even have to actually access the personal data.
It is already sufficient that theoretically the possibility of access existsin order to speak of order processing.

An example of when you need an AV contract.

If your agency creates websites for clients, for example, you often work with a web host to make the site available on the Internet. Since this web host Theoretical access has access to the data on the website, it is important to establish a AV contract to be concluded. You also need a contract with your customer.

But beware: In the privacy policy of the customer website, only you should be listed as responsible, not the web host. However, you must state which web host you use in the AV contract.

In principle, you always need an AV contract if external providers have access to the personal datathat you process.
The following list gives a few more examples:

• Web analysis tools
  These tools collect data about how visitors use your website. Since they collect information about the behavior and, in some cases, identifiers of users, you must conclude an AV contract with the provider, for example Google Analytics.
• Web hosting provider
  Every website is hosted on a server and the hosting provider potentially has access to personal data collected on that website. Therefore, an AV contract is necessary.
• E-mail marketing tools
  If you send newsletters, these services process e-mail addresses and possibly other information from your customers.
• External accounting software
  This software processes sensitive data such as financial information from customers and employees.
• Cloud services
  When data is stored in the cloud, the providers theoretically have access to this information. Google Drive or Dropbox are examples of this.
• Remote maintenance tools
  They enable remote access to computer systems with TeamViewer, for example, whereby personal data can potentially be accessed.

What is the situation with service providers abroad?

Service providers within the EU and the EEA

If you work with service providers from other EU countries or the European Economic Area (EEA), you can do so relatively easily. The reason for this is that the General Data Protection Regulation (GDPR) applies in all these countries. This means that they all offer the same level of protection for personal data as Germany. This makes collaboration easier, as no additional data protection agreements are required to guarantee the level of protection.

Dealing with service providers outside the EU

Working with service providers from non-EU countries, including the USA, requires more attention. According to the GDPR, the transfer of data to such countries is only permitted if certain conditions are met. These conditions are intended to ensure that the level of protection for the transferred data complies with the GDPR. There are various mechanisms to ensure this:

• Adequate level of protection
  The third country must offer a level of protection recognized by the European Commission. This is currently the case for a limited number of countries.
• Binding company rules
  Large international corporations can use these internal guidelines to ensure data protection within their group of companies.
• Express consent
  In particular when using services from US providers such as Google Analytics or Zoom, you must obtain the express consent of the data subjects.
• Data Privacy Framework
  Following the end of the Privacy Shield, a new agreement between the EU and the USA, the "Data Privacy Framework", is in the works. Companies should check whether US service providers are certified under this agreement in order to ensure an adequate level of data protection. In our article The "EU-U.S. Data Privacy Framework" - Data Protection Agreement between the EU and the U.S. to find out more about this topic.

It is crucial that companies that use service providers from third countries take a comprehensive look at the data protection requirements. In doing so, they should not only consider the legal framework, but also assess the risks for the data subjects. Data protection is an important concern for consumers and compliance with the GDPR not only protects personal data, but also strengthens trust in your company.

Risks without a data processing agreement

Compliance with the GDPR and the conclusion of a DP Agreement are not optional, but a legal requirement for companies that process personal data. In order to high fines, legal disputes and Claims for damages companies should ensure that they conclude these important contracts in good time. Without them, data processing is not legally protected, which can have serious consequences:

• High fines
  Non-compliance with the GDPR can lead to fines of up to 20 million euros or 4 % of global annual turnover, whichever is higher. These penalties are designed to emphasize the importance of data protection and encourage companies to comply.
• Warning and legal proceedings
  Companies that do not conclude a DPA also expose themselves to the risk of warnings from competitors and possible legal proceedings. Such legal disputes can not only be expensive, but also damage the company's reputation.
• Claims for damages
  Persons whose data has been processed unlawfully can claim compensation. Both the client and the processor can be held liable unless they can prove that they are not responsible for the data protection breach. However, without a data processing agreement, this is difficult to prove.

Are model contracts GDPR-compliant?

Sample contracts can provide a practical starting point if you want to draw up an order processing contract (AV contract) in accordance with the General Data Protection Regulation (GDPR). They provide a structure and can help to ensure that no important aspect is overlooked. However, when using such templates, it is crucial to careful to be:

• Check source
  Not every template from the Internet complies with current legal requirements. It is important that the model contract comes from a trustworthy source such as eRecht24 from data protection authorities or specialist legal portals.
• Legal examination
  Ideally, the template should be drawn up or at least reviewed by a lawyer. This increases legal certainty and ensures that the contract meets the specific requirements of the GDPR.
• Individual customization
  A model contract only serves as a framework. It is necessary to adapt it to the specific conditions of your data processing activities.
  This applies in particular to the type of data processed, the purpose and scope of the processing and the technical and organizational measures that must be taken.

Include the AV contract in the GTC

An efficient and innovative strategy for mastering the topic of data processing agreements is to incorporate this agreement into your general terms and conditions.
The DSGVO prescribesthat personal data processed under contract must be protected by a data processing agreement.

However, this not necessarily available as a separate document. Integrating the AV contract into your GTC offers several advantages:

• Automatic validity
  When you accept your GTC for each order or service, the AV contract automatically becomes part of the business relationship. This simplifies the process considerably and ensures that you always act in compliance with the GDPR.
• Protection against liability
  This method ensures that you are consistently protected when processing personal data. As the DP contract is an integral part of your GTC, you minimize the risk of legal consequences and strengthen data protection at the same time.
• Efficiency and clarity
  By bundling your contractual documents, you avoid redundant agreements and ensure clear relationships both internally and for your customers.

To ensure that the integration of the GTC contract into your GTC complies with legal requirements, we recommend that you note the following points:

• Individual customization
  Make sure that the integrated DP contract is specifically tailored to your processing activities and the associated risks.
• Transparency
  The relevant provisions of the GTC contract should be presented clearly and comprehensibly in the GTC in order to avoid misunderstandings.
• Legal review
  Have the adapted GTC reviewed by a data protection expert or lawyer to ensure compliance with the GDPR and other relevant regulations.

Our recommendation for legally compliant AV contract templates

Legally compliant documentation is necessary and it is therefore essential to pay attention to the following when drawing up AV contracts legally compliant templates.

We therefore recommend the use of specialized offerssuch as from eRecht24. This service provides, among other things Attorney-approved samples for AV contracts that provide a reliable basis for your contractual regulations. Not only Legal security is guaranteed, but also against possible Fines and legal disputes becomes protected.

We can confirm the effectiveness and reliability from our own experience, so you can make your company GDPR-compliant and protect yourself and your customers. Security of your company with.

Conclusion

The order processing contract is a fundamental element in data protection that helps companies to meet the requirements of the General Data Protection Regulation (GDPR) and to ensure that the data protection law is complied with. strengthen the trust of their customers. By defining clear responsibilities between clients and processors, it ensures the secure handling of personal data and helps to minimize legal risks.

Through Clear agreements between the contracting parties and integration into the general terms and conditions, it offers an effective way to comply with the GDPR, while the use of tested templates from specialist providers guarantees a solid legal basis.
In the digital economy, the AV contract therefore indispensable for the Compliance with data protection standards and the Safeguarding privacy.