Processor - Art. 28 GDPR

Typical processors are companies that process personal data on our behalf:

• Service providers to whom we transfer personal data for processing (e.g. marketing companies)
  
• Service providers to whom we give access to internal data (e.g. technical service companies)
• Providers of online software solutions (e.g. office software)
• Providers of digital services (e.g. web host through which our emails are sent)

Order processing is when a service provider acts on our behalf and is bound by our instructions. In this case, the external service provider only provides support and is, so to speak, our "extended arm". Under no circumstances may they use the data provided to them for their own purposes.

Source: Mohamed Hassan on Pixabay

Examples

• An advertising agency is commissioned to organise an event. As long as the advertising agency is only responsible for designing the documents and concept, it is not a processor within the meaning of the GDPR. However, if it sends out invitations on our behalf, with a list of our customer contacts or collects visitor data at the event, this constitutes commissioned data processing within the meaning of the GDPR. 
  
• An external IT service provider takes over our IT support. They set up computers and, if necessary, connect to the company's systems via remote maintenance. This may give them access to the company's internal data and therefore to the personal data of employees or customers.
• Every provider of online solutions that we use counts as a processor, as we store personal data in the systems as part of their use - even if it is only our business email address.
• Our hosting provider, on whose server our website runs, is also a classic processor. Even if we do not offer any registration options or personalised logins. This is because the IP addresses of website visitors also count as personal data. The hosting provider is therefore a processor in any case. 

However, there is no order processing for postal services for the transport of letters or parcels, for example. Lawyers or tax consultants are also exempt from this regulation, as they are not authorised to act on instructions as holders of professional secrets. It is therefore always necessary to check whether a service provider is acting as a processor or on its own responsibility. 

What does that mean? 

As soon as we use a processor, we must ensure that the processor also complies with data protection regulations and implements appropriate technical and organisational measures to ensure data protection. This is usually regulated by a so-called order processing contract (AV contract). Art. 28 GDPR specifies the minimum requirements for the content of such a contract. 

According to Art. 28 para. 3 GDPR, the following points, among others, must be regulated in the contract:

• Subject, duration, nature and purpose of the processing
  
• Type of personal data and data subjects
• Information on the confidentiality obligations of the persons authorised to process the data
• Information on the technical and organisational measures implemented
• Regulations regarding the use of subcontractors
• Regulations on support for enquiries and claims by data subjects
• Regulations regarding the return or deletion of personal data
• Regulations regarding the controller's rights of control over the processor
• Information on the obligation of the processor to inform the controller of data protection violations

Many service providers (especially in the online sector) offer ready-made DP contracts that can be downloaded and signed directly from the website. The contract is then sent to the processor for signature.