If there is a commissioned processing, a commissioned processing contract (AV-contract) has to be concluded. If the contractual protection is missing, both sides are threatened with unpleasant consequences. But many companies and freelancers find it difficult to delineate the contents of the contract. In some cases, samples and contract templates can be helpful. In this article we give information about it.
Necessity of the contract according to DSGVO
An AV contract (English: Data Processing Agreement / DPA) must be concluded as soon as the processing of personal data is carried out by an external service provider and this provider acts in accordance with instructions. The spectrum of such providers is large and includes z.B. Freelancers, contracting agencies and web hosting providers a. You can find detailed information as well as more examples of order processing here: Data Protection in Order Processing.
The need to enter into a contract stems from the way. 28 para. 3 DSGVO out. Via the contract the data processing relationship is legally secured. The rights and obligations of both parties (client and contractor) are regulated in the contract. Central to this is the contractor's commitment to ensure a sufficient level of personal data protection. Before the GDPR came into force, the contract was also known as a data processing order or ADV contract.
Penalties in the absence of a processing contract
AV contracts are often the focus of data protection inspections by the relevant supervisory authorities. Consequently, it is important for companies to have the necessary contracts in place and readily available upon request.
The transfer of personal data to external partners without having concluded an AV contract about it, although there is a commissioned processing, can have serious consequences. In the event of such a significant data protection incident, the client and contractor face a fine.
Contents of an AV contract
- Subject and duration of processing.
- Scope, nature and purpose of the intended collection, processing or use of data. Type of data and group of data subjects.
- Guarantee of technical and organizational measures.
- Correction, deletion and blocking of data.
- Possible authorization to establish subcontracting relationships.
- Control rights of the client and corresponding obligations of acquiescence and cooperation of the contractor.
- Obligation of the contractor's employees to maintain confidentiality.
- Contribute to data protection impact assessments and reporting requirements.
- Notifiable breaches by the Contractor or the persons employed by the Contractor of regulations on the protection of personal data or of the stipulations made in the order.
- Interacting with requests and claims from data subjects
- Extent of the authority to issue instructions, which the client reserves for itself vis-A-vis the contractor.
- Return of data carriers and deletion of stored data after completion of the order.
As an annex, the contract includes an overview of concrete technical and organizational measures (TOM) to be taken by the processor to protect the data.
Sample and templates for AV contracts
Numerous small businesses, freelancers, and even mid-market companies struggle to draft contracts. Staking out the content as well as formulating it requires extensive know-how. Interest in samples and contract templates is correspondingly high.
Such sample contracts are easy to find as they are offered for download online by various associations and even some regulatory bodies:
But beware, even if the document template comes from an authority, it is ultimately only a non-binding recommendation. There is no individualization, nor is there any assumption of liability.
Tip: Keep track with a list
The number of processing contracts that a company has to conclude is usually much larger than is assumed at the outset. In the fields of online and data security alone, there are often numerous contracts to be signed, for example with providers such as Google, Microsoft and Salesforce.
With such a high number of contracts, it can be helpful to keep an overview list. This records the individual service providers, supplemented with information about when each contract was signed and where it can be found. With the help of such a list, it is easier to keep track of all contracts.
Individually designed AV contracts from the data protection expert
Tailor-made solutions promise the highest level of security for contractual protection of order processing. If you also want to know your data protection in good hands, we are your partner. Nationwide, we advise companies on operational data protection and are happy to assist you as well. Take advantage of our free initial consultation.
