Privacy Top 20 Ratgeber

Processing contracts: So you are always on the safe side

As soon as you, as a company, have personal data processed by third parties, you are obliged to draw up a corresponding processing contract. This is necessary, for example, if you work with software programs or external service providers whose work requires personal information.
Please note that the document is a mutual obligation. It is therefore not enough for you as the principal to ask the contractor to prepare the document. All parties are required to be actively involved in the processing contracts. This is the only way you can be sure of the following:
a) You act in accordance with the GDPR and comply with the prescribed guidelines.
b) Processing takes place on a sound legal basis.
In this guide, we will show you which factors you must pay attention to and how you can implement Art. 28 GDPR sensibly.

When do you have to enter into processing contracts?

Basically, the subject is not new. The Federal Data Protection Act already stipulates that you must formulate a data processing agreement. The new EU GDPR has, however, significantly tightened the requirements. Now you are obliged to enter into a data processing contract in the following cases:

• You use remote warning systems.
• You commission external service providers for marketing (call center), bookkeeping, etc.
• You outsource your data center, for example through cloud computing.
• You use tracking software such as Google Analytics.
You can, however, dispense with documents that safeguard your company, as long as this involves a transfer of functions. This is the case if, for example, the committed service provider also has an interest in the data collected.
Attention: Always play it safe. There are a large number of companies that are in no way aware that they have to enter into a processing contract. Often they do not realize the implications of what they have commissioned. According to the GDPR, you also have to protect yourself if an external service provider could even theoretically come close to personal data – i.e., as soon as there was even the possibility.

The content of a processing contract in accordance with GDPR

It is always said that less is more, but we do not recommend that for the contract. It is better if you formulate the following points in as much detail as possible in order to ensure complete certainty:

1. Contractual partner
2. Duration, scope, purpose and type of assignment as well as the collection, processing and use of the data
3. Type of data
4. Data subject group
5. Organizational and technical measures
6. Authorization as well as the possibility of deleting and blocking already existing information
7. Obligations of the contractor (e.g., controls)
8. Obligation of the contractor to cooperate
9. If applicable, subcontracting authority
10. Reporting obligation in the event of infringements that have occurred or potential security breaches
11. Scope of the authority to issue directives
12. Destruction and return of all data at the end of the contract
13. Potential clauses

This checklist helps you keep track of the big picture

When it comes to the General Data Protection Regulation, too much is clearly better than too little – at least if you want to protect yourself against GDPR warnings. Therefore, we have compiled a checklist with all relevant items that you should pay attention to in your processing contracts.

Examination of existing documents

Don’t think you’re safe just because you’ve been using documents that comply with the Federal Data Protection Act for years. The GDPR has tightened up the requirements. It is therefore essential that you take a close look at all contracts currently in use. If necessary, set up an updated version. This is both in your personal interest and in the interest of the other company.


Superfast is not always the best approach in many situations. The same applies to the preparation of processing contracts. Take your time and check afterwards whether you have really included all relevant contents. As far as data protection is concerned, prevention is always better than cure if you want to protect yourself and the rights of data subjects sufficiently.


Completeness is not the only important thing. The information in the document should also be legally correct. Legal advice on data protection is helpful or you can take a look at our category “External data protection officer,” where you can compare providers and find an expert for your business.

Monitoring contractors

Just because you have entered into a processing contract does not automatically mean that you are giving up control. You are still obliged to check that the implementation of the General Data Protection Regulation is being carried out properly. This is done through regular checks of the subcontractors you engage. Make sure to record everything in writing in order to be able to provide evidence in case of doubt.

Foreign countries as a special case

Within the EU, all measures are mandatory. But what about partners from so-called third countries? Official guidelines do not yet exist for this case. We therefore recommend that you either sit down with your data protection officer or seek advice from a so-called Article 27 representative.

Don’t take processing agreements lightly

The supervisory authorities aren’t the only ones who take a close look at all your steps. Data subjects also want to make sure that you comply with the GDPR and take the protection of personal data seriously. In addition, it is increasingly the case that competitors also check very closely whether you comply with the regulations. If this is not the case, more and more companies are taking legal action against their competitors.