Data processing on behalf

from Wikipedia, the free encyclopedia

Data processing on behalf also - order data processing ( ADP called) - called in Germany the collection, processing or use of personal data by a service provider on behalf of the person responsible. It was regulated in Section 11 of the Federal Data Protection Act (BDSG) in the version dated August 14, 2009 ( BGBl. 2009 I p. 2814 ). The BDSG in this version and thus also the section 11 contained therein was lost with the entry into force of the European General Data Protection Regulation ( GDPR, Regulation (EU) 2016/679 ) and Article 1 of the German Data Protection Adaptation and Implementation Act EU (DSAnpUG-EU) ( BGBl. 2017 I p. 2097 ) revised the Federal Data Protection Act on May 25, 2018. Since then, Article 28 of the GDPR has regulated processing on behalf of the customer. (The terms of order data processing and data processing by order are no longer used in the DS-GVO.) Section 80 (processing of social data on behalf of) of Book 10 of the Social Code was adopted by the German legislator in accordance with the requirements of Article 28 of the DS-GVO customized.

The following text describes the order data processing as it was legally required and valid until May 25, 2018.

Specifications for order data processing

Since the amendment of the Federal Data Protection Act in 2009, the requirements for order data processing have been specified by the legislator in a ten-point catalog. A written contract with the following provisions is required:

  • Subject matter and duration of the contractual relationship
  • Scope, type and purpose of data processing
  • Technical and organizational measures taken by the contractor
  • Deletion, authorization and blocking of personal data
  • Control rights of the client
  • Possible authority to subcontract
  • Obligations of the contractor (tolerance and participation in controls)
  • Obligation to report violations of the BDSG or the contract
  • Authority of the client to issue instructions in matters relevant to data protection
  • Return or possible deletion of personal data at the end of the contractual relationship (client remains data owner )

Before a contract can be concluded between the parties, the client must ensure that the contractor can meet the technical and organizational measures required by law.

Depending on the scope and type of data to be processed, this control obligation can be met through an on-site inspection, evidence of meaningful data protection certifications, an assessment of the IT security concept or written information from the contractor.

The client provides the contractor with the personal data to be processed on the basis of the transfer or transfer procedure specified in the contract. If necessary, the contractor also collects the personal data himself. In doing so, the contractor must separate the personal data to be processed from the data that he has collected for other purposes or that he processes and uses for other clients. After completion of the processing, the contractor will again make the results available to the client in a previously defined procedure.

Differentiation from the transfer of functions

Due to the different legal consequences, the order data processing must be distinguished from the transfer of functions. In the case of data processing on behalf of the client , the responsibility for the proper data processing and its liability remains with the client. The transfer of personal data in the course of data processing on behalf does not qualify as a transfer in the sense of data protection law. This leads to a legal privilege. The recipient is like an outsourced department of the client and is therefore entitled to the same extent as the client to handle the personal data.

In contrast, the contractor himself is responsible for the processed data when the functions are transferred. A transfer of personal data to them therefore requires a permit standard or consent .

There are no clear requirements in the law to delimit data processing on behalf of the transfer of functions. In practice, the powers of the contractor serve as a distinguishing criterion. Data processing on behalf of the contract can be assumed if the contractor only assumes an auxiliary and support function. Signs of this are a lack of own decision-making leeway as well as being bound by instructions to the client.

If, on the other hand, the entire task or business area is transferred to the contractor, this is a transfer of functions. This is indicated by your own decision-making powers and your own discretion when processing the data. A financial self-interest in the transferred data can also be an indicator for a transfer of functions.


Examples of order data processing relationships are:

Web links

Individual evidence

  1. Thomas Hoeren: The new BDSG and order data processing DuD 2010, 688-691
  2. Order data processing. Dr. Nils Christian Haag, accessed on July 19, 2015 .
  3. Order data processing and transfer of functions. (No longer available online.) The State Commissioner for Data Protection Baden-Württemberg, archived from the original on June 24, 2015 ; Retrieved July 19, 2015 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot /
  4. Orientation aid for order data processing. State Commissioner for Data Protection Lower Saxony, December 2, 2002, accessed on July 19, 2015 .