The most important facts at a glance
- GDPR-compliant contracts protect: Companies must conclude legally compliant data processing agreements (DPAs) in accordance with Art. 28 GDPR when processing personal data by third parties - violations can result in fines.
- Standard contractual clauses enable international data transfers: Additional protective measures are mandatory for data transfers to third countries.
- Contractual obligations go beyond mere signature: Technical and organizational measures (TOMs) must be contractually stipulated, regularly reviewed and documented
Why contractual regulations are indispensable in data protection
The General Data Protection Regulation has fundamentally changed the legal requirements for handling personal data. While many companies focus on technical measures, contractual safeguards are often underestimated. Yet data protection-compliant contracts form the legal foundation of all data processing.
In today's networked business world, companies rarely work in isolation. Cloud services, external service providers, international partnerships - all of these constellations require the transfer or joint processing of personal data. Without a legally compliant contractual basis, there is not only the threat of severe fines, but also liability risks towards data subjects and business partners.
The complexity of the GDPR is particularly evident in contract law: different processing constellations require different contractual instruments. In addition, there are specific requirements for international data transfers and the need to continuously adapt contractual provisions to new case law and guidelines from the supervisory authorities.
Legal basis: The contractual framework under data protection law
Data processing agreement, Art. 28 GDPR
Processing contracts pursuant to Art. 28 GDPR, which govern the relationship between controllers and processors, are of particular importance. We support companies in implementing these legal requirements in practical contracts.
An order processing contract is always required if a company commissions an external service provider with regard to data processing who is given access to personal data as part of this activity. Typical examples are IT service providers, cloud providers, payroll accounting offices or call centers. According to Art. 28 GDPR, the contract must contain certain minimum content, including the subject matter and duration of the processing, the type and purpose of the processing as well as the type of personal data and categories of data subjects.
The obligations of the processor are particularly important and must be set out in detail. These include the obligation to process data only on the documented instructions of the controller, to ensure confidentiality and to take appropriate technical and organizational measures. The processor must also provide the controller with all information required to demonstrate compliance with the GDPR obligations and enable audits by the controller or an appointed auditor.
Contractual clauses for third countries
Additional requirements apply to international business relationships. If data is transferred to third countries outside the EU, suitable guarantees must be in place in accordance with Art. 44 et seq. GDPR, suitable guarantees must be in place. If there is no adequacy decision for countries outside the EU, the EU Commission's standard contractual clauses must be used. We support the implementation of legally compliant solutions for data transfers.
Contractually define technical and organizational measures
Specification of the TOMs in the contract
Art. 32 GDPR requires state-of-the-art technical and organizational measures. Contractual TOMs catalogs must specify these abstract requirements for the specific processing situation. Blanket references to industry standards are not sufficient - the measures must be tailored to the specific risks of the processing.
The contractual stipulation creates legal certainty for both parties: The controller can rely on defined protection standards, while the processor knows exactly which requirements must be met. At the same time, the written documentation provides evidence for the supervisory authorities.
Adaptation obligations and further development
Data security is not a static state. Technological developments, new threat scenarios and changes in the scope of processing require continuous adaptation of protective measures. Contracts should therefore provide mechanisms for regularly reviewing and updating the TOMs.
You are welcome to use our GDPR checklist for further information on the technical and organizational measures.
Practical tips for legally compliant data protection contracts
Carry out a systematic inventory
Evaluate for each service provider whether there is an order processing, joint responsibility or another constellation in order to determine which contract should be concluded.
Check existing contracts for completeness of the data protection clauses. Many older contracts no longer meet the current requirements of the GDPR and need to be improved. Prioritize service providers with access to particularly sensitive data or large volumes of data.
Standardization and individualization in balance
Model contracts can serve as a starting point, but must always be adapted to the specific situation.
Develop your own sample contracts for typical constellations that are tailored to your specific requirements. This saves time in recurring contractual situations and at the same time ensures a uniform standard of protection. An individual legal review is essential for complex or high-risk processing.
Contract management and documentation
Set up a systematic contract management system. Document which contracts have been concluded with which service providers, when they were concluded and when they are due for review. Version control for contract changes is essential for accountability.
Keep not only the signed contracts, but also the underlying risk analyses and balancing decisions. For international transfers, the TIA documentation is mandatory and should be available to supervisory authorities at all times.
Implement processes for the regular review of contracts. Changes in case law, new guidelines from the supervisory authorities or technological developments may make adjustments necessary. Annual reviews are recommended.
SITTIG LAW supports you in the development of a complete contract management system for data protection agreements - from the inventory to the drafting of contracts and ongoing updates.
Checklist for data protection-compliant contracts
Check the order processing contract:
- Object, duration, type and purpose of the processing specifically described
- Type of personal data and categories of data subjects defined
- Right of the controller to issue instructions clearly regulated
- Regulations on subcontracted processors
- Technical and organizational measures described in detail
- Obligations to provide support for data subjects' rights defined
- Regulations on the deletion or return of data after the end of the contract
For international data transfers additionally:
- Suitable module of the standard contractual clauses selected
- Regulations on inquiries from foreign authorities
- Examination of alternatives to data transfer documented
With joint responsibility:
- Transparent definition of the respective responsibilities
- Regulations for informing the persons concerned
- Agreement on the fulfillment of data subject rights
- Internal distribution of liability regulated
- Key content made accessible to those affected
General requirements:
- Contracts concluded before the start of data processing
- Written form or electronic form with qualified signature granted
- All contracts centrally documented and archived
- Arrangements made for regular review and adjustment
Contractual protection as the foundation for data processing in compliance with data protection regulations
Data protection-compliant contracts are far more than formal compulsory exercises. They form the legal foundation for any collaboration in which personal data plays a role. Investing in high-quality, legally compliant contracts pays off in several ways: by avoiding fines, by protecting against liability risks and by creating trust with customers and business partners.
The increasing complexity of data protection law - exacerbated by new technologies, international data flows and dynamic case law - makes professional legal advice indispensable. Standard contracts from the Internet may serve as an initial guide, but they are no substitute for an individual review and adaptation to the specific company situation.
As a specialized law firm, SITTIG LAW combines IT law and criminal law expertise - a combination that is invaluable, especially in data protection law. The interface between preventive contract drafting and the potential criminal relevance of data protection violations requires a comprehensive understanding of both areas of law.
Frequently asked questions
Yes, a separate data processing agreement is required for each service provider that processes personal data on your behalf. The contract must regulate the specific processing activities, the type of data processed and the specific security measures for this service provider. Framework agreements are possible, but must contain corresponding annexes or specifications for each specific processing activity.
If you subsequently discover that a service provider is working without a DPA, you should immediately conclude an order processing contract and document the previous processing.
An annual review is recommended. In addition, contracts should be updated if there are significant changes: new services, changes in the scope of processing, new sub-processors, relevant case law or guidelines from the supervisory authorities. The legal situation can be particularly dynamic in the case of international transfers - you should plan for even more frequent reviews here.
The TOMs must be described so specifically that it is clear what level of protection is guaranteed. General references such as „appropriate technical measures“ are not sufficient; describe the encryption methods used. The level of detail should correspond to the risk of the processing - very specific descriptions are required for highly sensitive data.
In the case of commissioned processing, the service provider acts in accordance with instructions and does not make its own decisions on the purposes and means of processing. In the case of joint controllership, both parties decide jointly on the „whether“ and „how“ of data processing.
There is no general obligation to submit contracts to the supervisory authority. However, the authority may request access to your contracts as part of inspections or when investigating complaints. You should therefore be able to present all contracts relevant to data protection at any time.