GDPROrder Processing

The General Data Protection Regulation offers a uniform, Europe-wide ability for so-called ‘order processing’. Order processing is the gathering, processing or use of personal data by an order processor in accordance with the instructions of those responsible for the data processing based on a contract.

The relevant regulations for order processing are already applied if the processing is connected to activities of a branch within the EU. This means that it is sufficient if either the person responsible or the order processor operates a branch in the EU, and the processing is connected to this work. In a constellation of order processing, the joint persons responsible (Art. 26 of the GDPR) are those who together define the purposes and means for the data processing, and who are also jointly responsible for these. The persons responsible must ensure, in selecting the order processor, that it has implemented sufficient technical and organisational measures to ensure that the rules of the regulation are complied with.

In most cases, order processing proceeds based on a contract. Art. 28, para. 3 of the GDPR sets forth the minimum requirements. This must contain, among other things, what type of personal data will be processed, as well as the object and purpose of the processing. In addition, there are further obligations for the order processor. For example, it must also maintain an index of the processing activities which includes the names and contact data for each person responsible who is working on which order, as well as the processing categories which are conducted for them. Furthermore, the index must include, if applicable, the transfer of personal data to third countries and, if possible, a general description of technical and organisational measures.

Basically, the person responsible is the first contact for those impacted, and for compliance with data processing legal requirements. This does not mean, however, that the order processor is free of liability. According to Art. 82 of the GDPR, he is jointly liable with the persons responsible. However, the order processor’s liability is limited as per para. 2 to violations of duties which are specific to him. Both parties have the ability to exculpate themselves. To do this, they must prove that they were not responsible in any way for the circumstances leading to the damages.