Lars Galow (Management, Information Security Officer)

Christoph Wilken (Consultant)

Thorsten Kamp (Officer, Deputy Information Security Officer)

Visitor address

Ecological Centre ÖCO, 3rd floor Uhlhornsweg 99a 26129 Oldenburg

Postal address

Carl von Ossietzky Universität Oldenburg 
Stabsstelle Datenschutz- und Informationssicherheitsmanagement
Ammerländer Heerstr. 114-118
26129 Oldenburg

Contract processing

Whenever the controller does not process any data itself, but has this done by another party, this constitutes commissioned processing.

According to Article 4 No. 8 GDPR, a "processor" is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What must be observed when using a processor is set out in Articles 28 et seq. GDPR.

The most important obligations and responsibilities of the processor are

  • Obligation to follow instructions from Art. 29 GDPR
  • Maintenance of a record of processing activities in accordance with Art. 30 para. 2 GDPR

A basis is required to carry out order processing.

In most cases, order processing is carried out by means of a contract in accordance with Art. 28 para. 3 GDPR.

However, some agreements must be made in this contract. The minimum requirements for such an order processing contract include the following obligations of the processor

  • Processing of personal data only on the documented instructions of the controller
  • Obligation of confidentiality / processor is subject to an appropriate statutory duty of confidentiality
  • Guarantee of Art. 32 GDPR
  • Compliance with Art. 28 (2) and (4) when using another (sub)processor
  • Supporting the controller in complying with Art. 32 - 36
  • Deletion / return and deletion of copies of all personal data after the processing activity has been completed
  • Provision of all necessary information to demonstrate compliance with the above obligations
  • Ensuring audits - including inspections - by the controller or a person authorised by the controller
  • Immediate notification to the controller if an instruction violates the GDPR or other data protection regulations in the opinion of the processor

There is therefore a lot to consider when concluding a so-called"order processing contract" (AVV).

You have reached the end of the data protection basics. We hope that this "guide" was understandable and comprehensible for you. If you have any further questions, please contact the Data Protection and Information Security Unit.

Internetkoordinator (Changed: 29 May 2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page