Template: Commissioned-processing contract based on GDPR
According to the EU General Data Protection Regulation (GDPR), every company that wants a service provider to process personal data on the company’s behalf must have a commissioned-processing contract (CP contract) with that provider. This document was formerly known as a commissioned data processing contract, or CDP contract, in the terminology of the Federal Data Protection Act (FDPA) in Germany.
The contractual requirements for personal data processing are increasing with the GDPR. Compared to the previous § 11 FDPA, softer regulations have been established with respect to the contract itself. However, the relationship between the customer and the contractor (also referred to respectively as the ‘controller’ or ‘principal’ and ‘processor’ or ‘agent’) is significantly specific than it is according to the FDPA in its present form.
The free commissioned-processing contract template from activeMind AG helps both parties (customer and contractor) provide the necessary clarity in commissioned processing (CP). Rights and obligations in CP are explicitly regulated. In this way, it is easier to meet the requirements of the GDPR on accountability and joint liability.
What is a commissioned-processing contract?
A contract for commissioned processing (formerly: commissioned data processing) should always be utilised whenever personal data are processed by an instruction-dependent service provider. For example, CP service providers can be salary-accounting offices, data-carrier providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers.
The CP contract determines the rights and obligations of customers and contractors as well as subcontractors, if applicable. Thus, among other stipulations, the contract should guarantee that the contractor only processes the data entrusted to him/her for the purposes for which the customer collected the data. Above all, the service provider is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the contractor, the customer is granted comprehensive control rights in the contract.
Commissioned-processing contracts are to be adapted to the respective service provider and his/her functions. An important component of the contract is an appendix to the technical and organizational measures with which the contractor guarantees the data protection and data security of the data provided.
Contract for the commissioned processing of personal data according to the EU General Data Protection Regulation
The European General Data Protection Regulation, effective from May 2018, fundamentally redefines the relationship between the customer and the contractor. In particular, the accountability introduced by the GDPR obligates the customer to perform the statutory duties far more strongly than before. At all times, the customer must be able to demonstrate that the implementation of legal data protection requirements has not only been devised but also, in the future, proof that the implementation works must also be provided! For this reason, customers must also take care within the scope of the CP. Also new is the legally stipulated joint liability for data protection violations.
Much of the existing CDP contracts, e. g. those negotiated on the basis of the German Data Protection Act and the eight data protection directives, will presumably have to be renegotiated. It is safe to assume that parts of these negotiations will not be easy. However, it is in the mutual interest of the customer and the contractor to tackle this process swiftly. The clearer the agreements are made and the more precisely the obligations are defined in the CDP contract, the more legal certainty can be expected.
The free sample contract for processing personal data according to GDPR will assist you during this process. Of course, the template should always be customised for the individual case.
Samples and templates for CDP contracts according to the (old) Federal Data Protection Act (FDPA) in Germany
- Template of the Association for Data Protection and Data Security [Gesellschaft für Datenschutz und Datensicherheit e.V. (GDD)] (German and English)
- Bitkom template (German and English)