What is a commissioned-processing contract?
A contract for commissioned processing (formerly: commissioned data processing) should always be utilised whenever personal data are processed by an instruction-dependent service provider. For example, CP service providers can be salary-accounting offices, data-carrier providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers.
The CP contract determines the rights and obligations of customers and contractors as well as subcontractors, if applicable. Thus, among other stipulations, the contract should guarantee that the contractor only processes the data entrusted to him/her for the purposes for which the customer collected the data. Above all, the service provider is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the contractor, the customer is granted comprehensive control rights in the contract.
Commissioned-processing contracts are to be adapted to the respective service provider and his/her functions. An important component of the contract is an appendix to the technical and organizational measures with which the contractor guarantees the data protection and data security of the data provided.
Contract for the commissioned processing of personal data according to the EU General Data Protection Regulation
The European General Data Protection Regulation, effective from May 2018, fundamentally redefines the relationship between the customer and the contractor. In particular, the accountability introduced by the GDPR obligates the customer to perform the statutory duties far more strongly than before. At all times, the customer must be able to demonstrate that the implementation of legal data protection requirements has not only been devised but also, in the future, proof that the implementation works must also be provided! For this reason, customers must also take care within the scope of the CP. Also new is the legally stipulated joint liability for data protection violations.
Much of the existing CDP contracts, e. g. those negotiated on the basis of the German Data Protection Act and the eight data protection directives, will presumably have to be renegotiated. It is safe to assume that parts of these negotiations will not be easy. However, it is in the mutual interest of the customer and the contractor to tackle this process swiftly. The clearer the agreements are made and the more precisely the obligations are defined in the CDP contract, the more legal certainty can be expected.
The free sample contract for processing personal data according to GDPR will assist you during this process. Of course, the template should always be customised for the individual case.
Samples and templates for CDP contracts according to the (old) Federal Data Protection Act (FDPA) in Germany