No job like any other: Order processing (AV)

Article 28 of the GDPR, Section 26 of the Federal Data Protection Act (2018) and Section 80 of the Tenth Book of the Social Security Act regulate 'data processing by order' or 'order processing (AV)' in Germany. They govern the 'outsourcing' of data processing contracts to external third parties.

The order processing replaces the 'order data processing (ADV)' from the "old" Federal Data Protection Act. The new regulation leaves many of the previously applicable requirements for the controller unchanged.

Since the GDPR, the legal framework for a DP is generally provided by a data processing agreement in accordance with Art. 28 para. 3 GDPR. This defines, among other things, the subject matter, purpose, type and duration of the processing as well as the type of personal data, the categories of data subjects and the rights and obligations of the controller and the processor.

Depending on the type of data collected, the controller must ensure that the processor is certified for the task and that it implements a security concept that ensures that the data processing complies with the legal requirements through appropriate technical and organizational measures. This is usually done by means of written information. Only then may the controller transmit personal data.

Under liability law, it is usually not the service provider who is responsible for breaches, but the controller. The processor, on the other hand, is liable if it has not fulfilled its obligations as a processor. This is the case if the processor has not followed the instructions of the controller or has even acted against the instructions.