top of page

Order processing of personal data according to the EU General Data Protection Regulation

Contract for the processing of personal data according to the EU General Data Protection Regulation (AV contract)

Contract for the processing of personal data


see completed form entries
(hereinafter referred to as the client)


see information in the imprint
(hereinafter referred to as the contractor)

1 Introduction, scope, definitions

(1) This contract regulates the rights and obligations of the client and contractor (hereinafter referred to as the "parties") in the context of processing personal data on behalf of the client.

(2) This contract applies to all activities in which employees of the contractor or subcontractors commissioned by him process personal data of the client.

(3) Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. Insofar as statements in the following must be made "in writing", the written form is meant in accordance with Section 126 of the German Civil Code (BGB). In addition, declarations can also be made in another form, provided that adequate verifiability is guaranteed.

2 Subject and duration of the processing

2.1 Subject

The contractor undertakes the following processing:

• See completed form entries

The processing is based on the service contract between the parties (hereinafter referred to as the "main contract").

2.2 Duration

Processing begins on and continues for an indefinite period until termination of this contract or the main contract by a party.

3 Type and purpose of data collection, processing or use:

3.1 Nature and purpose of processing

The processing is of the following type: collection, recording and storage
The processing serves the following purpose: contacting the contractor

3.2 Nature of the data

The following data are processed:

• See completed form entries

3.2.1 Categories of Data Subjects

The following are affected by the processing:

• See completed form entries

4 obligations of the contractor

(1) The contractor processes personal data exclusively as contractually agreed or as instructed by the client, unless the contractor is legally obliged to carry out specific processing. If such obligations exist for him, the contractor will inform the client of these prior to processing, unless the communication is prohibited by law. In addition, the contractor does not use the data provided for processing for any other purpose, in particular not for its own purposes.

(2) The contractor confirms that he is aware of the relevant general data protection regulations. He observes the principles of proper data processing.

(3) The contractor undertakes to strictly maintain confidentiality during processing.

(4) Persons who can gain knowledge of the data processed in the order must commit themselves in writing to confidentiality, unless they are already legally subject to a relevant confidentiality obligation.

(5) The contractor assures that the persons employed by him for processing have been familiarized with the relevant provisions of data protection and this contract before the start of processing. Corresponding training and awareness-raising measures are to be repeated regularly as appropriate. The contractor shall ensure that the persons involved in order processing are continuously and appropriately instructed and monitored with regard to compliance with data protection requirements.

(6) In connection with the commissioned processing, the contractor must support the client in creating and updating the list of processing activities and in carrying out the data protection impact assessment. All necessary information and documentation must be kept and forwarded to the client immediately upon request.

(7) If the client is subject to a control by supervisory authorities or other bodies or if data subjects assert rights against him, the contractor undertakes to support the client to the extent necessary, insofar as the processing in the order is affected.

(8) The contractor may only provide information to third parties or the person concerned with the prior consent of the client. Inquiries addressed directly to him will be forwarded to the client immediately.

(9) As far as legally required, the contractor appoints a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the agent. In cases of doubt, the client can contact the data protection officer directly. The contractor will immediately inform the client of the contact details of the data protection officer or justify why no officer has been appointed. The contractor shall notify the client immediately of any changes in the person or the internal tasks of the agent.

(10) The order processing takes place in principle within the EU or the EEA. Any relocation to a third country may only take place with the consent of the client and under the conditions contained in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this contract.

(11) If the contractor is not established in the European Union, he appoints a responsible contact person in the European Union in accordance with Article 27 of the General Data Protection Regulation. The customer must be informed immediately of the contact person's contact details and any changes in the person of the contact person.

5 Technical and organizational measures

(1) The data security measures described in Appendix 1 are specified as binding. They define the minimum owed by the contractor. The description of the measures must be in such detail that a knowledgeable third party can at any time unequivocally recognize what the minimum owed should be based on the description alone. A reference to information that cannot be taken directly from this agreement or its annexes is not permitted.

(2) The data security measures can be adapted to the technical and organizational further development, as long as the level agreed here is not undershot. The contractor must immediately implement any changes required to maintain information security. Changes are to be communicated to the client immediately. Significant changes are to be agreed between the parties.

(3) If the security measures taken do not or no longer meet the requirements of the client, the contractor shall notify the client immediately.

(4) The contractor guarantees that the data processed in the order will be strictly separated from other databases.

(5) Copies or duplicates will not be made without the knowledge of the client. Technically necessary, temporary reproductions are excluded, provided that an impairment of the data protection level agreed here is excluded.

(6) The processing of data in private apartments is only permitted with the prior written consent of the client in individual cases. If such processing takes place, the contractor must ensure that a level of data protection and data security corresponding to this contract is maintained and that the client's control rights specified in this contract can also be exercised without restriction in the private apartments concerned. The processing of data on behalf of private devices is not permitted under any circumstances.

(7) Dedicated data carriers that originate from the client or are used for the client are specially marked and are subject to ongoing management. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Entrances and exits are documented.

(8) The contractor shall provide regular evidence of the fulfillment of his obligations, in particular the complete implementation of the agreed technical and organizational measures as well as their effectiveness. Evidence must be provided to the client unsolicited at the latest every 12 months and otherwise at any time upon request. Evidence can be provided by approved rules of conduct or an approved certification process.

6 regulations for the correction, deletion and blocking of data

(1) The contractor will only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement made or according to the instructions of the client.

(2) The contractor will follow the relevant instructions of the client at any time and also after the termination of this contract.

7 subcontracting relationships

(1) The commissioning of subcontractors is only permitted with the written consent of the client in individual cases.

(2) Consent is only possible if the subcontractor has been contractually imposed at least data protection obligations that are comparable to those agreed in this contract. Upon request, the client can inspect the relevant contracts between the contractor and the subcontractor.

(3) It must also be possible to effectively exercise the client's rights vis-à-vis the subcontractor. In particular, the client must be entitled to carry out checks at any time to the extent specified here, including with subcontractors or have them carried out by third parties.

(4) The responsibilities of the contractor and the subcontractor must be clearly delimited.

(5) A further subcontracting by the subcontractor is not permitted.

(6) The contractor carefully selects the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.

(7) The forwarding of data processed in the order to the subcontractor is only permitted if the contractor has documented and verified that the subcontractor has fully fulfilled its obligations. The contractor must submit the documentation to the client without being requested to do so.

(8) The commissioning of subcontractors who carry out processing on behalf not exclusively from the area of the EU or the EEA is only possible if the conditions specified in Chapter 4 (10) and (11) of this contract are observed. In particular, it is only permissible if and as long as the subcontractor offers appropriate data protection guarantees. The contractor informs the client which specific data protection guarantees the subcontractor offers and how proof of this can be obtained.

(9) The contractor has to check the compliance with the obligations of the subcontractor regularly, at the latest every 12 months. The test and its result are to be documented in such a meaningful way that they can be understood by a competent third party. The documentation must be presented to the client without being asked.

(10) If the subcontractor does not comply with its data protection obligations, the contractor is liable to the client for this.

(11) The subcontractors named in Appendix 2 with their name, address and order content are currently involved in processing personal data to the extent specified there and approved by the client. The other obligations of the contractor towards subcontractors set out here remain unaffected.

(12) Subcontracting relationships within the meaning of this contract are only those services that are directly related to the provision of the main service. Ancillary services such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not included. The contractor's obligation to ensure compliance with data protection and data security in these cases also remains unaffected.

8 Rights and obligations of the client

(1) The client is solely responsible for assessing the admissibility of the commissioned processing and for safeguarding the rights of those affected.

(2) The client issues all orders, partial orders or instructions in a document. In urgent cases, instructions can be given orally. The client will immediately confirm such instructions in a documented manner.

(3) The client informs the contractor immediately if he discovers errors or irregularities when checking the results of the order.

(4) The client is entitled to ensure compliance with the provisions on data protection and the contractual agreements with the contractor to a reasonable extent himself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks to control. The contractor shall allow the persons entrusted with the control access and inspection as far as necessary. The contractor is obliged to provide the necessary information, demonstrate processes and provide evidence that is required to carry out a control.

(5) Controls at the contractor must be carried out without avoidable disruptions to its business operations. Unless otherwise indicated for urgent reasons to be documented by the client, checks will take place after appropriate advance notice and during the contractor's business hours, and no more frequently than every 12 months. Insofar as the contractor provides evidence of the correct implementation of the agreed data protection obligations as provided in Chapter 5 (8) of this contract, a check should be limited to random samples.

9 Notification Obligations

(1) The contractor shall immediately notify the client of any breaches of the protection of personal data. Well-founded suspected cases of this must also be reported. The notification must be made at the latest within 24 hours of the contractor becoming aware of the relevant event to an address specified by the client. It must contain at least the following information:

a. a description of the nature of the personal data breach, as far as possible with an indication of the categories and the approximate number of persons concerned, the categories concerned and the approximate number of personal data records concerned;

b. the name and contact details of the data protection officer or another contact point for further information;

c. a description of the likely consequences of the personal data breach;

d. a description of the measures taken or proposed by the contractor to remedy the personal data breach and, if necessary, measures to mitigate its possible adverse effects

(2) Significant disruptions in the execution of the order as well as violations by the contractor or the persons employed by him against data protection regulations or the stipulations made in this contract must also be reported immediately.

(3) The contractor informs the client immediately of controls or measures by supervisory authorities or other third parties, insofar as these relate to order processing.

(4) The contractor assures to support the client in his obligations according to Art. 33 and 34 of the General Data Protection Regulation to the extent required.

10 instructions

(1) The client reserves the right to give instructions with regard to processing on behalf of the client.

(2) Client and contractor name the persons exclusively authorized to issue and accept instructions in Appendix 3.

(3) In the event of a change or long-term prevention of the named persons, the other party must be informed immediately of successors or representatives.

(4) The contractor will immediately notify the client if an instruction given by the client violates statutory provisions in his opinion. The contractor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or changed by the person responsible at the client.

(5) The contractor must document instructions issued to him and their implementation.

11 Termination of the order

(1) Upon termination of the contractual relationship or at any time at the request of the client, the contractor must either destroy the data processed in the order or hand it over to the client, at the client's option. All existing copies of the data must also be destroyed. The destruction must be carried out in such a way that it is no longer possible to restore even residual information with justifiable effort. Physical destruction takes place in accordance with DIN 66399.

(2) The contractor is obliged to bring about the immediate return or deletion also with subcontractors.

(3) The contractor must provide evidence of proper destruction and present it to the client immediately.

(4) Documentation that serves as evidence of proper data processing is to be stored by the contractor after the end of the contract in accordance with the respective retention periods. He can hand them over to the client at the end of the contract for his relief.

12 remuneration

The remuneration of the contractor is finally regulated in the main contract. There is no separate remuneration or reimbursement of costs within the framework of this contract.

13 liability

(1) The client and the contractor are jointly and severally liable for compensation for damage suffered by a person due to inadmissible or incorrect data processing within the scope of the contractual relationship.

(2) The contractor bears the burden of proof that the damage is not the result of a circumstance for which he is responsible, insofar as he has processed the relevant data under this agreement. As long as this proof has not been provided, the contractor shall, upon first request, indemnify the client from all claims made against the client in connection with the processing of the order. Under these conditions, the contractor will also reimburse the client for all legal defense costs incurred.

(3) The contractor is liable to the client for damage caused by the contractor, his employees or those commissioned by him with the execution of the contract or the sub-service providers employed by him in connection with the provision of the contracted service.

(4) Numbers (2) and (3) do not apply if the damage was caused by the correct implementation of the commissioned service or an instruction issued by the client.

14 Contractual Penalty

(1) In the event of a breach of the provisions of this contract, a no-fault contractual penalty of € 1000 per individual case is agreed. The contractual penalty is forfeited in particular in the event of deficiencies in the implementation of the agreed technical and organizational measures. In the case of permanent violations, each calendar month in which the violation occurs in whole or in part is considered an individual case. The objection of the continuation connection is excluded.

(2) The contractual penalty has no influence on other claims of the client.

15 Special right of termination

(1) The client can terminate the main contract and this agreement at any time without observing a notice period ("extraordinary termination") if the contractor has seriously violated data protection regulations or the provisions of this agreement, or if the contractor is unable to carry out a lawful instruction from the client wants or the contractor refuses control rights of the client contrary to the contract.

(2) A serious breach exists in particular if the contractor has not or has not fulfilled the obligations specified in this agreement, in particular the agreed technical and organizational measures, to a considerable extent.

(3) In the event of minor violations, the client shall set the contractor a reasonable deadline for remedial action. If the remedy is not given in time, the client is entitled to extraordinary termination as described in this section.

(4) The contractor shall reimburse the client for all costs incurred due to the premature termination of the main contract or this contract as a result of an extraordinary termination by the client.

16 Others

(1) Both parties are obliged to treat as confidential all knowledge of trade secrets and data security measures of the other party acquired in the context of the contractual relationship, even after the contract has ended. If there are any doubts as to whether information is subject to confidentiality, it must be treated as confidential until it has been approved in writing by the other party.

(2) If the client's property at the contractor is endangered by measures by third parties (such as seizure or seizure), insolvency or settlement proceedings or other events, the contractor must notify the client immediately.

(3) The written form is required for side agreements.

(4) The objection of the right of retention i. S. v. Section 273 of the German Civil Code (BGB) is excluded with regard to the data processed in the order and the associated data carriers.

(5) Should individual parts of this agreement be ineffective, this does not affect the validity of the rest of the agreement.

Appendix 1 - technical and organizational measures

In the following, the technical and organizational measures to ensure data protection and data security are specified, which the contractor must at least set up and maintain on an ongoing basis. The aim is to ensure, in particular, the confidentiality, integrity and availability of the information processed in the order.

Protection class 1 applies to destruction in accordance with DIN 66399.

1. Organization of information security
2. Personnel security
3. Management of values
4. Access control
5. Cryptography
6. Physical and environmental security
7. Operational safety
8. Communication security
9. Acquisition, development and maintenance of systems
10. Supplier Relationships
11. Handling of information security incidents
12. Information security aspects in business continuity management
13. Compliance

Annex 2 - Approved sub-service providers

see information in the imprint

Appendix 3 - Authorized persons to issue instructions

The following persons are authorized to issue and receive instructions:

see information in the imprint

bottom of page