Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Order processing in the sense of the GDPR

A processor within the meaning of the General Data Protection Regulation (GDPR) is a natural or legal person who processes personal data on behalf of a controller. The responsibility for the personal data remains with the company and is not transferred to the processor.

A processor may, for example, be an IT service provider that handles data processing for a customer or a cloud provider that stores data for a company. The processor may only process the personal data in accordance with the instructions of the controller and in compliance with data protection regulations.

The relationship between the controller and the processor is governed by a data processing agreement, which defines, among other things, the type and purpose of the processing, the duration of the processing, the type of personal data, the data subjects and the technical and organisational measures for data security. The controller remains responsible for compliance with data protection regulations vis-à-vis the data subjects and the data protection authorities, even if it has outsourced the processing to a processor.

A data processing agreement is a contract between the controller and the processor in accordance with Article 28 of the General Data Protection Regulation (GDPR) that governs the processing of personal data on behalf of the controller. The contract should contain certain points in accordance with Article 28 of the GDPR, including:

  • Subject matter and duration of the processing: It should be clearly defined which personal data are to be processed by the processor and for what purpose. The duration of the processing should also be specified.
  • Nature and purpose of the processing: It should be clear which data categories are being processed and for what purpose.
  • Type of personal data: The type of personal data to be processed and the categories of data subjects should be clearly defined.
  • Rights and obligations of the controller: The rights and obligations of the controller with regard to the control of data processing and compliance with the GDPR regulations, as well as the way in which data security and data protection are monitored, should be defined.
  • Rights and obligations of the processor: It should be made clear what responsibilities the processor has with regard to the processing of personal data, including the technical and organisational measures to ensure data security.
  • Subcontracting: It should be specified whether the processor is authorised to carry out subcontracting (chain outsourcing) and under what conditions this may occur.
  • Liability and compensation: The liability and compensation rules in the event of a breach of the GDPR provisions or the contract by one of the parties should be defined.
  • Confidentiality and data protection: It should be ensured that the processor maintains the confidentiality of personal data and takes all necessary technical and organisational measures to protect the data.
  • Return and deletion of personal data: It should be specified which steps the processor must take with regard to the return or deletion of personal data as soon as the processing is completed.
  • Audit and inspection rights: It should be made clear which audit and inspection rights the controller has regarding the processor in order to ensure that the GDPR regulations are complied with.
  • Applicable law and place of jurisdiction: The applicable law and place of jurisdiction for disputes in connection with the contract should be specified.


Important notice 

The data processing agreement is a written contract between two companies and should be drawn up and negotiated by legal entities and the data protection officer. The points listed above are intended as an overview and are therefore not suitable for a sample contract.


Term: chain outsourcing

Chain outsourcing, also known as multi-level outsourcing, refers to a practice in which a company passes on the processing of personal data to several processors, who in turn may pass on the data to further sub-processors. In other words, it is a chain of companies that work together to carry out the processing of personal data.