Order Processing in Accordance with the GDPR
Processing of Personal Data by External Service Providers as Order Processing
In the increasingly digital business world, it has almost become standard practice for companies to use external service providers to process personal data. According to the EU General Data Protection Regulation (GDPR), the use of external service providers to process personal data often constitutes order processing, which is subject to special legal requirements. The term “order processing” is not directly defined as such in the GDPR, but the term “processor” is. According to the GDPR, a processor is any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In addition, a processor may only process personal data on the instructions of the controller. Thus, order processing is the processing of personal data by the contractor (processor) for the client (controller) in adherence to instructions. The decisive factor is whether the contractor is actually working for the client in accordance with instructions. The client must decide on the details of the processing. Consequently, an order processing relationship does not exist at least if the contractor processes the personal data for its own purposes. Typical examples of order processing can be found in cases of IT outsourcing or the outsourcing of business processes, cloud computing services, application service providing (ASP), software-as-a-service (SaaS) or website and email providers. In order to determine the legal requirements for the processing of personal data by external service providers, it must always be checked whether there is order processing in the legal sense according to the GDPR. The mere contractual designation as order processing by the parties involved is not sufficient.
Permissibility of Order Processing under the GDPR and Default Clauses
In the case of order processing, no additional legal basis is generally required to justify the processing of personal data in accordance with the agreement. In this respect, the processor, like the controller itself, also relies on the legal basis on which the personal data concerned may be processed. If the data processing is permissible if the controller would carry it out themselves, then the processor may in principle also process the personal data accordingly. Exceptions to this rule may arise in particular in cases with an international dimension. If, for example, data is to be transferred to a country that does not belong to the European Union (third country), the controller and order processing company must fulfill further obligations and requirements depending on the third country concerned. The EU Commission has passed adequacy decisions for some third countries. These determine under which additional conditions, if any, data transfer to the third country concerned is permitted. Adequacy decisions exist, for example, for Switzerland, the United Kingdom, the USA, Canada, Japan and some other third countries. If there is no adequacy decision from the EU Commission for a third country, the GDPR only allows data to be transferred to the third country if additional strict requirements are met. In such cases, the controller and processor must provide suitable guarantees and ensure that the data subjects have legal claims and suitable legal remedies.
Legal Requirements for such an Agreement
The GDPR stipulates that in cases of order processing, a concrete framework must be established between the parties involved in order to legally define the scope and manner of data processing. For this reason, the controller and the processor usually conclude an order processing agreement. In such order processing agreements, the subject matter and duration of the data processing, the type and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller must be specified. The GDPR sets out a number of other specific legal requirements that a order processing agreement must meet. These include, among other things, the obligation of the contracting parties to take appropriate technical and organizational measures to achieve an adequate level of protection with regard to the data to be processed. Which specific technical and organizational measures are ultimately suitable for establishing an adequate level of protection depends on the specifics of the individual case, the type and quantity of personal data and the purpose of its processing, as well as the companies involved.
The competent lawyer for advice regarding order processing according to GDPR and creation of order processing agreements in our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.