Whenever the controller does not process any data itself, but has this done by another party, this constitutes commissioned processing.

According to Article 4 No. 8 GDPR, a "processor" is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What must be observed when using a processor is set out in Articles 28 et seq. GDPR.

The most important obligations and responsibilities of the processor are

• Obligation to follow instructions from Art. 29 GDPR
• Maintenance of a record of processing activities in accordance with Art. 30 para. 2 GDPR

A basis is required to carry out order processing.

In most cases, order processing is carried out by means of a contract in accordance with Art. 28 para. 3 GDPR.

However, some agreements must be made in this contract. The minimum requirements for such an order processing contract include the following obligations of the processor

• Processing of personal data only on the documented instructions of the controller
• Obligation of confidentiality / processor is subject to an appropriate statutory duty of confidentiality
• Guarantee of Art. 32 GDPR
• Compliance with Art. 28 (2) and (4) when using another (sub)processor
• Supporting the controller in complying with Art. 32 - 36
• Deletion / return and deletion of copies of all personal data after the processing activity has been completed
• Provision of all necessary information to demonstrate compliance with the above obligations
• Ensuring audits - including inspections - by the controller or a person authorised by the controller
• Immediate notification to the controller if an instruction violates the GDPR or other data protection regulations in the opinion of the processor

There is therefore a lot to consider when concluding a so-called"order processing contract" (AVV).