Order processing

The outsourcing of computing processes to service (external) providers being not related to the company, is a process, which needs a verification for reasons of data protection according to the agreement on order processing.

The area of responsibility of an external data protection commissioner implies the control of agency contracts from controller engaging external service providers for order processing.

In Art. 28 General Data Protection Regulation (GDPR), the legislator has recorded the laws and duties of controller (client) and processor (contractor) when facing order processing. Among other things, a settlement on order processing between the responsible body (controller) and the processor is obligatory. The disregard of the legal obligation concerning the conclusion of the obligatory agreements can be imposed with administrative fines according to Art. 83 Abs. 4 lit. a GDPR. Furthermore there is a total debt between the controller and the processor according to Art. 82 Abs. 4 GDPR.

Characteristic for a settlement on order processing is the controllers’s controlling authority being established in law, providing that the controller can regularly check the continuation and obeying of technical-organizational measures at the processor`s place. The legislator accommodates the fact, that the responsible body for collecting personal data remains responsible, even if the data procession is carried out under the contract of a third party, and furthermore, that the procession is carried out in a privacy relevant manner.

Further specialties of an order details processing need both to be cleared up in advance and to be considered in the relevant agreement according to Art. 28 GDPR. When having arrangements with foreign processors, the level of data privacy of the country in which the processor carries out the data processing, is of great importance for the data privacy classification.

Privacy compliant regulations concerning laws and duties of both companies taking part in the order details processing are unavoidable, speaking of audit privileges, subcontract regulations, authorities to issue instructions and dealing with personal data by concluding the contractual relationship.

In the area of order processing we advise you on the following topics:

  • Appraisal, whether there is the case of an order detail processing according to Art. 28 GDPR
  • Preparation of privacy compliant agreements on order processing
  • Preparation of a consent on function delegation
  • Inspection of the requirements of the technical-organizational data protection
  • Conduction of the reliability check of external service providers by a data protection audit
  • On-location visits, inspection of the IT and telecommunication infrastructure to check the reliability of the external service provider for reasons of data protection
  • Speaking of external service providers in a third country outside the EU: review with regard to data protection of the present case groups for concluding the required agreements on order processing and/or EU standard contractual clauses (choice of contract clauses)