SITTIG LAW Law Firm Blog

Data protection agreement IT service provider

A data protection agreement with IT service providers is mandatory under Art. 28 GDPR as soon as personal data is processed on behalf of a processor. It regulates powers of instruction, technical and organizational measures and liability. Missing or incomplete contracts can result in fines, reputational damage and data protection violations - regular reviews are essential.
Contents

The most important facts at a glance

Why data protection agreements are essential for IT service providers

Digitalization has made IT service providers indispensable partners for almost every company. However, as soon as these service providers gain access to personal data, companies find themselves in a legal minefield.

Many managing directors and IT managers underestimate the data protection requirements when commissioning external IT service providers. A simple service contract is usually not sufficient, as a lot of personal data, especially that of customers and employees, is passed on so that IT service providers can process it according to instructions. The General Data Protection Regulation requires an order processing agreement if personal data is processed on behalf of a processor. If this is missing or incomplete, companies risk not only fines, but also a loss of trust from their customers and business partners.

Legal basis: Order processing according to GDPR

The central standard: Art. 28 GDPR

Art. 28 GDPR thus forms the core of the data protection requirements for cooperation with IT service providers. The provision regulates in detail the conditions under which a company may pass on personal data to a service provider for processing.

The basic rule is clear: commissioned processing may only take place on the basis of a contract that specifies the subject matter and duration of the processing, the type and purpose of the processing, the type of personal data and the categories of data subjects. This contract must be in writing or in another durable format.

Minimum contents of the order processing agreement

Art. 28 GDPR explicitly states the minimum content that a data protection agreement with IT service providers must contain:

The processor may only process personal data on the documented instructions of the controller. This authority to issue instructions is central: the IT service provider may not decide independently how to handle the data, but must adhere strictly to the client's instructions.

All persons who are authorized to process personal data must have committed themselves to confidentiality. This applies not only to the direct employees of the IT service provider, but also to any subcontractors.

The processor must take appropriate technical and organizational measures within the meaning of Art. 32 GDPR. These must be specifically described.

The agreement must regulate the conditions under which the IT service provider may involve another processor. The controller must agree to this transfer in advance, or at least be informed and have the option to object.

Delimitation of joint responsibility

Not every collaboration with an IT service provider constitutes order processing. The decisive factor is whether the service provider decides independently on the purposes and means of data processing or merely acts on behalf of the client in accordance with instructions.

If the IT service provider independently determines which data it processes and how, there is joint responsibility in accordance with Art. 26 GDPR. This is often the case, for example, when using marketing tools or analysis software where the provider pursues its own purposes.

The distinction is often difficult to make in practice, but is highly relevant from a legal perspective. In the case of joint controllership, different requirements apply than in the case of commissioned processing; in particular, controllers must regulate their respective obligations transparently and inform data subjects of their responsibilities.

Mandatory contents of a legally compliant data protection agreement

Object and duration of processing

The data protection agreement must precisely describe the specific services provided by the IT service provider and the context in which it comes into contact with personal data. General formulations such as „IT support“ are not sufficient - the agreement should specifically state whether it concerns system maintenance, software maintenance, hosting or other activities.

The duration of the commissioned processing must also be specified. It is also important to describe the processing context: In which systems will the data be processed? Are they production systems or test systems? Is data processed outside the EU systems? All these aspects must be set out transparently.

Nature and purpose of data processing

The agreement must specifically state the purpose for which the IT service provider processes personal data. The purpose typically results from the commissioned service: in the case of a hosting contract, the purpose is the technical provision of the server infrastructure; in the case of a maintenance contract, the purpose is to maintain system functionality.

The type of processing includes the specific processing operations: Is data stored, transmitted, modified or deleted? Does automated processing take place or do people have access to the data? These details are important in order to assess the risk to the rights of the data subjects.

Categories of personal data and data subjects

The data protection agreement must list which categories of personal data are processed. The categories may include: master data (name, address), contact data (email, telephone), contract data (customer number, contract history), payment data or usage data.

Particularly sensitive data in accordance with Art. 9 GDPR - such as health data, ethnic origin or biometric data - must be explicitly mentioned, as they are subject to increased protection requirements.

Authority to issue instructions and processing restrictions

The core of every order processing agreement is the regulation of the authority to issue instructions. The IT service provider may only process personal data on the documented instructions of the controller. These instructions may be contained in the contract itself or issued separately.

The agreement should provide a mechanism for issuing further instructions - for example by email, via a ticket system or in another written form. It is important that instructions are documented in a comprehensible manner so that, in the event of a dispute, it can be proven that the IT service provider has only acted in accordance with instructions.

Technical and organizational measures

Art. 32 GDPR requires appropriate technical and organizational measures (TOM) to ensure a level of protection appropriate to the risk. The data protection agreement must specifically describe these measures - a blanket reference to Art. 32 GDPR is not sufficient.

The technical measures include: Encryption of data during transmission and storage, access controls, firewalls, regular security updates and backups. Organizational measures include access control systems, employee training, data protection management processes and incident response plans.

Confidentiality obligations

All persons who have access to personal data on behalf of the processor must be bound to confidentiality. This applies not only to permanent employees, but also to subcontractors, freelancers and external consultants.

The confidentiality obligation should apply beyond the termination of the employment relationship and explicitly include data protection. Although many employment contracts contain general confidentiality clauses, these are often not specific enough for data protection requirements.

Support obligations for data subject rights

Data subjects have extensive rights under the GDPR - for example, to information, rectification, erasure or data portability. If a data subject asserts these rights, the controller must respond, but often needs the support of the processor to do so.

The data protection agreement should specifically regulate how the IT service provider supports the controller in fulfilling data subject rights. This can mean Providing relevant data, carrying out deletions, restricting processing or technical support for data transfer.

Reporting obligations in the event of data breaches

In the event of a data breach - such as a hacker attack, data loss or unauthorized access - the controller may have to inform the supervisory authority and data subjects. Art. 33 and 34 GDPR set tight deadlines for this.

Practical tips for companies

Contract negotiations with IT service providers

When commissioning an IT service provider, companies should not treat the data protection agreement as a subordinate issue. Ideally, it should be negotiated in parallel with the main contract, not after the contract has been concluded.

Many IT service providers offer standard contracts that can serve as a starting point. However, these should always be adapted to the specific processing activity. Blanket contracts carry the risk that important aspects are not covered or regulations remain incomplete.

Companies should not hesitate to address critical points and demand improvements. If an IT service provider refuses to conclude a legally compliant data protection agreement, this is a warning signal - it may not generally meet the data protection requirements.

Documentation and processing directory

Every controller must keep a record of processing activities in accordance with Art. 30 GDPR. A separate item must be created in this register for each order processing activity, which lists the processor, the type of processing and the categories of data.

Regular review of existing contracts

Data protection law is constantly evolving. Contracts that were legally secure a few years ago may be incomplete today. Companies should regularly review their existing data protection agreements - at least once a year or in the event of significant legal changes.

Involvement of the data protection officer

Companies that have appointed a data protection officer should involve them in contract negotiations with IT service providers at an early stage. The data protection officer can assess whether the proposed contractual clauses meet the legal requirements and point out risks.

The data protection officer also plays an important role in the ongoing review of processors. They should have access to all data protection agreements and regularly check whether the agreed measures are being complied with.

Checklist for legally compliant data protection agreements

Before signing the contract:

  • Check whether the IT service provider is acting as a processor or as a joint controller
  • Clarification of which personal data is processed (categories and sensitivity)
  • Identification of all subcontractors used by the IT service provider
  • Checking whether data is processed outside the EU
  • Evaluation of the service provider's technical and organizational measures
  • Examination of existing certifications

Contract contents:

  • Precise description of the subject matter, duration and purpose of the processing
  • Detailed list of categories of personal data and data subjects
  • Clear regulation of the authority to issue instructions and the instruction procedure
  • Concrete description of the technical and organizational measures
  • Confidentiality obligation for all employees of the service provider
  • Support obligations for data subject rights
  • Reporting obligations in the event of data breaches with specific deadlines and contact channels
  • Audit and control rights of the controller
  • Obligations upon termination of the contract
  • Liability and compensation regulations

After conclusion of the contract:

  • Entry of order processing in the processing directory
  • Documentation of the data protection agreement in the compliance documentation
  • Information from the data protection officer about the new order processing
  • For sensitive data: Carrying out a data protection impact assessment
  • Training your own employees on how to deal with the IT service provider

Ongoing review:

  • Annual monitoring of compliance with contractual agreements
  • Checking new subcontractors and their documentation
  • Checking that technical and organizational measures are up to date
  • Updating the data protection agreement in the event of changes to the legal situation
  • Checking the instruction documentation
  • Review of the reporting channels for data breaches

Data protection agreements are mandatory, not optional

Collaboration with IT service providers is indispensable for companies, but involves considerable data protection risks. A legally compliant data protection agreement is not a bureaucratic formality, but an essential component of a functioning data protection management system.

Companies that do not conclude any or inadequate data processing agreements not only risk fines, but also reputational damage and claims for damages in the event of data breaches. The supervisory authorities have made it clear in recent years that they will not tolerate breaches in this area.

Anyone who is unsure whether existing contracts meet the legal requirements or needs support in negotiating new data protection agreements should seek expert advice. As specialist lawyers for IT law and with a focus on data protection, we support companies in drafting their contracts with IT service providers in a legally compliant manner. Contact us for individual advice - we will help you to optimize your data protection compliance and minimize liability risks.

Frequently asked questions

Yes, an order processing agreement is also required for purely technical support if the service provider has access to systems with personal data. Even if the support employee does not actively process the data, they can potentially view it, which already constitutes processing within the meaning of the GDPR.

Standard contracts can serve as a basis, but must be adapted to the specific processing situation. The GDPR requires specific descriptions of the processing, the data concerned and the security measures. A completely standardized contract without adaptation to the specific service usually does not meet these requirements.

The absence of a commissioned data processing agreement constitutes a breach of Art. 28 GDPR and can be punished with fines. You are also liable for all data protection violations caused by the IT service provider. Customers and business partners can also lose trust if there is no DPA.

An update is always necessary if significant circumstances change - for example, if new processing activities are added, different data is processed or the IT service provider uses new subcontractors. You should also check whether your contracts are still up to date if the legal situation changes. An annual routine review of all data protection agreements is recommended, even if no specific changes are known.

There is no general obligation to present the agreement. However, it must be possible to present the agreement upon request in the event of inspections by the data protection authority. You must also document the order processing in your processing directory. In the event of data protection violations or complaints from data subjects, the authority may request the DPA in order to check whether you have fulfilled your responsibilities.

In principle, you remain liable as the person responsible for data protection, even if you commission an IT service provider. A clear contractual liability regulation is therefore important in order to clarify responsibilities in the event of damage.

Yes, the duration of the assignment is irrelevant. As soon as an IT service provider gains access to personal data in the course of its activities, an order processing agreement is required - even for one-off or short-term projects.

Yes, cloud services are typical commissioned processing. The data protection agreement must regulate in particular detail where the data centers are located, which security measures are implemented and which subcontractors the cloud provider uses.

The termination modalities depend on the underlying service contract. If the main contract is terminated, the order processing also ends automatically. It is important that you have stipulated in the data protection agreement what happens to the data when the contract ends.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form