Data Protection Academy » Data Protection Wiki » Data processing agreement

Two data protection officers draw up a data processing agreement

GDPR compliant data processing agreement

If personal data is processed by an external service provider on behalf of your company, you as the client and the external service provider as the contractor must conclude a separate contract. This contract regulates under which conditions the processing of personal data may take place.

Classic examples of commissioned processing are the use of the services of external data centres, software providers or even lettershops for marketing measures. But is there actually a difference between the commissioned data processing agreement and the data processing agreement? What information must such a contract contain in order to meet the requirements of the GDPR?

In the following article, we explain how you can create data processing agreements in compliance with the GDPR.

Most important information on data processing and data processing agreements

  • When personal data are processed by external companies, processing is carried out; however, not every transfer of data constitutes processing (e.g. to tax advisors, banks, etc.).
  • As a consequence of an data processing, a data processing agreement is necessary, which shows the rights and obligations of the client and the contractor.
  • A missing or inadequately drafted data processing agreement can be punished with heavy fines, with the processor also being liable
  • The principal is responsible for compliance with the GDPR

Contents on data processing and data processing agreement

When is there talk of data processing?

If your company commissions external service providers to process personal data(almost always) data processing takes place. In this case, you as the client are responsible for proper data processing and data protection. This has already been laid down in § Section 62 BDSG (new) and is newly regulated in Art. 28 GDPR to find.

Examples of data processing are:

  • Fully or partially outsourced data centres
  • Marketing campaigns (e.g. customer surveys or newsletters) by external service providers
  • External accounting
  • Use of tracking software

However, not every transfer of personal data constitutes data processing. The decisive factor is the binding of instructions. If external service providers can freely decide what happens to your company's data without being bound by your instructions, this is referred to as a transfer of functions. This is not to be considered as data processing.

How does data processing work according to GDPR?

  1. Before the start of the commissioned processing, a data processing agreement shall set out an approach for the implementation of data protection requirements.
  2. Compliance with the data protection requirements by the processor must be regularly checked by the client.
    1. This can be done through actual on-site inspections, written information, reports by the in-house data protection officer or an expert report.
    2. The type and intervals between the control measures depend on the number and scope of the data transmitted; there is currently no precise legal requirement.
  3. All inspections of the contractor must be documented

What is a data processing agreement?

The data processing agreement according to Art. 28 GDPR, must be concluded when a company lets personal data be processed by third parties or service providers. It thus replaces the data processing agreement of the BDSG.

A data processing agreement is intended to ensure that service providers process the data only for the purposes for which the client has collected them and thus prohibits their use for their own purposes. In addition, the data processing agreement obliges service providers to protect the data entrusted to them with appropriate measures. Since the controller for the protection of the data according to GDPR remains the client, the latter is granted comprehensive control rights in the contract.

Is there a difference between the data processing agreement from the German Federal Data Protection Act (BDSG) and the GDPR?

In Germany, data processing was already regulated in a German legislation, the Federal Data Protection Act, before the GDPR came into force. With the entry into force of the GDPR in 2018, the regulations on data processing in the BDSG were replaced.

Adjustments were made to the content, which also affected the duties and responsibilities of the data processors. Among other things, they are now obligated to maintain confidentiality and support the client in the event of inquiries from data subjects and the like.

Another innovation concerned the liability of processors and clients. They are now jointly liable vis-à-vis data subjects, whereby the liability of the processor is limited to violations resulting from a breach of the obligations specifically defined in the data protection agreement.


The data processing agreement came into force with the GDPR in 2018

What is included in a data processing agreement?

To conclude a GDPR-compliant data processing agreement, the following aspects, among others, are required according to Art. 28 para. 3  to be legally established:

  • Subject and duration of processing
  • Nature and purpose of the processing
  • Type of personal data.
  • Categories of persons concerned
  • Duties and rights of the controllers
  • Adoption of appropriate technical and organisational measures (TOM) for the protection of personal data
  • Scope of the authority to issue directives
  • Obligations and rights of the processor
  • Confidentiality agreement
  • Reporting obligation of the contractor
  • Duty to cooperate/ support by the contractor
  • Control powers
  • Legitimate use of subcontractors
  • Preservation of the Rights of data subjects
  • Duration of the order
  • Termination with return or deletion of the data of the processor
  • Final provisions

In order to be able to guarantee legal protection in the long term, it is necessary to regularly review the data processing agreements. Here you will be supported by the Robin Data Software. To do this, simply enter a responsible person and the date of the planned review and Robin Data will remind the responsible person of this activity. Besides, an activity report according to GDPR is also created.

Tasks of the client and contractor

  • Client
  • Written or electronic data processing agreements regulating specific aspects of data processing
  • Control of the data protection measures laid down in the data processing agreement
  • Responsible for compliance with data protection regulations and the protection of data
  • Contractor
  • Supporting clients in the implementation of data protection requirements
  • Create data protection concept, which includes the work processing
  • Preparation of legally compliant data processing agreements

Who is considered a processor?

The following shall be deemed to be processors pursuant to Art. 4 No. 8 of the GDPR a person or body that processes personal data on behalf of the controller. This can be natural or legal persons, as well as authorities, institutions or other bodies.

What are the obligations of processors?

  • Obligation to process data exclusively in accordance with the instructions contractually regulated in the data processing contract
  • Confidentiality
  • Obligation to support the client in complying with data protection obligations, as well as in the case of data subject inquiries and other data protection requirements
  • Obligation to take appropriate technical and organisational measures to protect data
  • Obligation to report data protection breaches immediately to the supervisory authority and to the data subjects
  • Mandatory data protection impact assessments to be performed

The obligations of the processors can be found in Article 28 to Article 36 of the GDPR.

What is the importance of data processing agreements for companies?

Data processing agreements provide clarity for both you and the processor by regulating, among other things, powers, instructions and the purpose of the processing. Rights and obligations are also clearly defined, which creates a certain level of security. In the event of a data protection breach by the processor, the data processing agreement can be used to prove that the responsibility lay within the processor's area of responsibility. Nevertheless, the main responsibility remains with the client.

When must a data processing agreement be concluded?

It is not possible to make a blanket statement about when a contract processing agreement must be concluded. The decisive factor is the relationship between the client and the contractor. If the contractor acts on behalf of a company with the authority to issue instructions, the conclusion of an ITC is required. If there is no authority to issue instructions, no GCU must be concluded.

What happens if no data processing contract is concluded?

If a processing contract is completely missing, although it is required, the GDPR provides in Art. 83, as previously the BDSG after § 43 fines. In contrast to the BDSG, these have been significantly increased with the GDPR and can now amount to up to €20 million or up to 4% of the annual turnover generated worldwide.

Fines may also be imposed in case of lack of implementation, incompleteness of the GC contract and non-compliance with instructions during data transmission. In addition, consumers can sue for damages if proof of data misuse can be provided.

In this case, the client and contractor are jointly liable under the GDPR, whereby both parties have the opportunity to prove their innocence. Without a data processing agreement, however, this is difficult to hardly possible, which may result in further costs.

When is a data processing agreement generally not needed?

A data processing agreement becomes obsolete if data processors are already obliged to protect personal data due to trade-specific or professional regulations. For example, the use of tax advisors, banks or auditors represent specialist services that do not require a data processing agreement.

What has to be considered when processing data abroad?

The Federal Data Protection Act already regulated the processing of personal data abroad. This regulation has hardly changed under the GDPR and provides that data collected domestically may not be transferred abroad without the consent of the data subjects or a legal permission.

Member states of the EU or the European Economic Area, as well as countries with an adequate level of data protection, are exempt from this regulation. A list of countries with an adequate level of security, as well as further information on the subject of data transmission abroad, can be found on the following website here. Order processing to third countries or third countries shall be carried out taking into account and implementing certain measures possible.

What must the privacy statement contain with regard to data processing?

The privacy policy of a website should show by whom user data is processed. Tracking services such as Google Analytics should also be listed as external service providers in order to avoid penalties and fines.

Can model contracts be used to draw up a data processing agreement?

Sample templates can be used to create a contract processing agreement. They can ensure clarity on both sides, as DSGVO-compliant specifications are already in place. Nevertheless, sample templates must be adapted to individual cases and filled out correctly. In doing so, a expert or a data protection officer should be consulted.

Management of the data processing agreements with Robin Data Software

Robin Data Software offers data protection officers the possibility to sign all order processing contracts with external service providers and contacts. to manage one place. For this purpose, you can not only create and manage the contracts digitally, but also directly include GDPR-compliant in your processing activities. This allows you to create a digital and data protection-compliant data protection documentation step-by-step.

You can find more information on managing order processing contracts in our help centre.

Whitepaper including sample data processing agreement

Illustration with details of the Whitepaper AVV. Details are explained in the following section

In the whitepaper DSGVO-compliant contract management incl. sample template order processing contract you will find:

  • Get information on the Order processing and the processor
  • Learn more about the creation of Order processing contracts
  • Including detailed Sample template order processing agreement as Word file and PDF

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.


Robin Data follows the recommendations of the supervisory authorities in terms of content - the following FAQ uses content from the Bavarian State Office for Data Protection Supervision. Here you can find the FAQ of the LDA Bavaria.

The data processing agreement regulates the rights and obligations of the "principal" and the "contractor". This specifically concerns the processing of personal data.

Commissioned processing is when a client is commissioned to process personal data. This processing order includes, for example, professional services. In terms of data protection law, a commissioned processing contract only exists if the data processing concerns personal data.

The content requirements are based on Art. 28 (3) DSGVO.

The GDPR stipulates in Art. 28 (9) GDPR stipulates that the contract for commissioned processing must be drawn up in writing. Written in the sense of the GDPR also includes the electronic or digital provision of the contract electronically. In terms of the obligations to provide evidence of data protection documentation, the controller and contractor must document the commissioned processing day, in particular in order to be meaningful in the event of an inspection by the supervisory authorities.

Caroline Schwabe