INTRODUCTION TO GDPR
According to the EU General Data Protection Regulation (GDPR), every company that wants a service provider to process personal data on the company’s behalf must have a commissioned-processing contract (CP contract) with that provider. This document was formerly known as a commissioned data processing contract, or CDP contract, in the terminology of the Federal Data Protection Act (FDPA) in Germany.
The contractual requirements for personal data processing are increasing with the GDPR. Compared to the previous § 11 FDPA, softer regulations have been established with respect to the contract itself. However, the relationship between the customer and the contractor (also referred to respectively as the ‘controller’ or ‘principal’ and ‘processor’ or ‘agent’) is significantly specific than it is according to the FDPA in its present form.
We at cosmetics are trying to help both parties (customer and contractor) provide the necessary clarity in commissioned processing (CP). Rights and obligations in CP are explicitly regulated. In this way, it is easier to meet the requirements of the GDPR on accountability and joint liability.
WHAT IS A COMMISSIONED-PROCESSING CONTRACT?
A contract for commissioned processing (formerly: commissioned data processing) should always be utilised whenever personal data are processed by an instruction-dependent service provider. For example, CP service providers can be salary-accounting offices, data-carrier providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers. The CP contract determines the rights and obligations of customers and contractors as well as subcontractors, if applicable. Thus, among other stipulations, the contract should guarantee that the contractor only processes the data entrusted to him/her for the purposes for which the customer collected the data. Above all, the service provider is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the contractor, the customer is granted comprehensive control rights in the contract.
Commissioned-processing contracts are to be adapted to the respective service provider and his/her functions. An important component of the contract is an appendix to the technical and organisational measures with which the contractor guarantees the data protection and data security of the data provided.
We have and will continue to notify our online customers that they can select to be or not to be notified about our products, offers and news. If you have not received our opt-in or opt-out email please contact us at firstname.lastname@example.org and we will update your preferences.