What is an on-demand order

According to the EU General Data Protection Regulation (GDPR), every company that has personal data processed on behalf of a service provider must conclude an order processing contract (AV contract). Under the old terminology of the Federal Data Protection Act (BDSG), the document was known as an order data processing contract or ADV contract.

The requirements for such a contract for the processing of personal data have increased with the GDPR. Compared to the previous § 11 BDSG old version, softer regulations have been set up with regard to the contract itself. The relationship between the client and the contractor is, however, much stricter overall than was the case under the old version of the BDSG.

The free sample for an order processing contract from activeMind AG helps both parties (client and contractor) to ensure the necessary clarity during order processing. Rights and obligations at AV are explicitly regulated. This makes it easier to meet the requirements of the GDPR on accountability and joint liability.

What is an order processing contract?

A contract for order processing (formerly: order data processing) must always be concluded when personal data is processed by a service provider who is dependent on instructions. AV service providers can, for example, be payroll offices, data carrier disposal companies, advertising or marketing agencies, cloud computing providers, web or e-mail hosts or even freelancers.

The AV contract to be concluded regulates the rights and obligations of the client and contractor as well as any sub-service providers to be used. So, inter alia. it must be guaranteed that the contractor processes the data entrusted to him only for the purposes for which the client collected the data. Above all, however, the service provider is obliged to protect the data accordingly. In order to actually guarantee this, the contract will grant the client extensive control rights in this regard.

What must an AV contract contain?

The individual rights and obligations of both parties in order processing are regulated by Art. 28 GDPR. The minimum requirements listed there must be included in the AV contract, they can and should be contractually designed on a case-by-case basis or adapted to the respective service provider and his activities:

  • Subject and duration of the processing
  • Type and purpose of processing
  • Type of personal data, group of data subjects
  • Scope of the authority to issue instructions
  • Responsibilities and rights of the person responsible
  • Obligations of the processor:
    • Processing according to documented instructions,
    • Maintaining confidentiality or secrecy,
    • Take suitable measures for your own security of processing,
    • Lawful involvement of subcontractors,
    • Support of the person responsible in answering requests from data subjects,
    • Support of the person responsible in compliance with his obligations under Art. 32 to 36 GDPR,
      • Taking suitable measures for the security of processing (Art. 28 III 2 lit. f GDPR in conjunction with Art. 32 GDPR),
      • Reporting violations of the protection of personal data to the supervisory authority (Art. 28 III 2 lit. f GDPR in conjunction with Art. 33 GDPR),
      • Notification of the person affected by a violation of the protection of personal data (Art. 28 III 2 lit. f GDPR in conjunction with Art. 34 GDPR),
      • Carrying out a data protection impact assessment (Art. 28 III 2 lit. f GDPR in conjunction with Art. 35 GDPR),
      • Consultation of the supervisory authority in the case of processing with high risks (Art. 28 III 2 lit. f GDPR in conjunction with Art. 36 GDPR).
    • Deletion or return after completion of the order,
    • Providing information and enabling reviews

An important part of the contract is an annex to the technical and organizational measures with which the contractor guarantees data protection and data security for the data provided to him.

Contract for the processing of personal data according to the EU General Data Protection Regulation

The European General Data Protection Regulation, to be applied from May 2018, fundamentally re-regulates the relationship between client and contractor. In particular, the accountability introduced by the GDPR makes responsible bodies, i.e. the client, much more responsible. It must be possible to prove at any time that the implementation of data protection requirements was not only designed; it must also be proven in future that this implementation works! Clients must also take care of this within the framework of the AV. The statutory joint liability for data protection violations is also new.

Existing ADV contracts negotiated on the basis of the BDSG and the eight data protection laws will probably have to be renegotiated to a large extent. It can be assumed that some of these negotiations will not be easy. However, it is in the mutual interest of the client and contractor to tackle this process quickly. The motto here is that the clearer the agreements are concluded and the more precisely the obligations are defined in the ADV contract, the more legal certainty can be expected.

The free sample contract for order processing of personal data according to GDPR will help you. Of course, the template should always be adapted to the individual case.

Other templates and templates for audiovisual contracts

Would you prefer to put data protection in professional hands? Then order us now at a fixed price as an external data protection officer!

In version 2.2 we have revised the instructions for filling in and some alternatives for text modules, especially for data processing in third countries. In addition, the annexes have been fundamentally updated.

If you are using an older version of our template for an AV contract, you should compare the attachments with the current version 2.2.

In version 2.1 only one paragraph was adjusted:

Version 2.0

§ 4 Paragraph (11):

If the contractor is not established in the European Union, he appoints a responsible contact person in the European Union in accordance with Article 27 of the General Data Protection Regulation. The contact details of the contact person as well as any changes in the person of the contact person must be communicated to the client immediately.

Version 2.1

§ 4 Paragraph (11):

If the contractor is not established in the European Union, he appoints a responsible contact person in the European Union in accordance with Article 27 of the General Data Protection Regulation, if required. The customer must be informed immediately of the contact person's contact details and any changes in the person of the contact person.

The current version 2.0 of the AV contract differs from the previous version (1.7) in the following areas:

  • Section 1 (2)
  • § 3 (title)
  • Section 4 Paragraphs 3 and 6
  • § 5 (title)
  • Section 5 (8)
  • Section 7 (8) and (9)
  • Section 8 (4)
  • Section 9 (1)
  • Section 11 (1), (2) and (4)
  • Section 14 (1)
  • Section 16 (3)
  • Appendix 1 (info box and last list)
  • Appendix 3 (title + last sentence)