{"id":2097,"date":"2022-08-24T15:07:54","date_gmt":"2022-08-24T13:07:54","guid":{"rendered":"https:\/\/www.privacy-advice.com\/aktuelles\/commissioned-data-processing-without-a-proper-contract-can-be-expensive\/"},"modified":"2022-09-26T17:23:37","modified_gmt":"2022-09-26T15:23:37","slug":"commissioned-data-processing-without-a-proper-contract-can-be-expensive","status":"publish","type":"aktuelles","link":"https:\/\/www.privacy-advice.com\/en\/news\/commissioned-data-processing-without-a-proper-contract-can-be-expensive\/","title":{"rendered":"Commissioned data processing without a proper contract can be expensive"},"content":{"rendered":"<div class=\"container con--para\">\n<p>If a company commissions an external service provider to collect, process or use personal data, a written commissioned data processing agreement must be concluded. The German Federal Data Protection Act stipulates which provisions must be included in such a contract. The technical and organizational measures that the external service provider must take are particularly important. These must be established in writing and sufficiently specified. If such regulations are missing or incomplete, or if the other requirements for the commissioning of external service providers pursuant to Section 11 BDSG are not complied with, the supervisory authorities may impose fines.  <\/p>\n<\/div><div class=\"container con--para\">\n<p>Only recently, the Bavarian State Office for Data Protection Supervision imposed a five-digit fine on a company that had concluded written commissioned data processing agreements with its service providers, but had not specified sufficiently concrete technical and organizational data security measures. Blanket statements and repetitions of the legal text are not sufficient in this respect &#8211; rather, a final determination of the concrete measures taken must be made within the framework of the contract. Only in this way can the commissioning company actually assess in practice whether the personal data is sufficiently protected at the contractor.  <\/p>\n<\/div><div class=\"container con--para\">\n<p>The Bavarian State Office has announced that it will continue to pursue this issue and impose further fines in the event of inadequate contracts. Other privacy regulators are likely to follow suit. When commissioning external service providers, care must therefore be taken to ensure that the cooperation is contractually structured accordingly &#8211; in particular, caution must be exercised when using model contracts!<\/p>\n<\/div>\r\n\r\n<div class=\"block block--cta flex flex--middle wp-block-acf-cta\">\r\n                            \r\n    <picture>\r\n        <source \r\n            media=\"(min-width: 641px)\" \r\n            srcset=\"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-2400x500.jpg 2400w,\r\n                https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1920x400.jpg 1920w,\r\n                https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1600x333.jpg 1600w,\r\n                https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1400x292.jpg 1400w,\r\n                https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1200x250.jpg 1200w,\r\n                https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1024x213.jpg 1024w\"\r\n            sizes=\"100vw\">\r\n            <source \r\n                media=\"(max-width: 640px)\" \r\n                srcset=\"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1200x250.jpg 1200w,\r\n                        https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1024x213.jpg 1024w,\r\n                         https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-800x167.jpg 800w\"\r\n                sizes=\"100vw\">  \r\n        <img decoding=\"async\" \r\n            src=\"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-call-to-action-background-1600x333.jpg\"\r\n            alt=\"DPA | Call-to-Action Hintergrund\" loading=\"lazy\">\r\n    <\/picture>\r\n\r\n    <div class=\"one-whole spacing\">\r\n        <div class=\"container relative\">\r\n                            <a href=\"https:\/\/www.privacy-advice.com\/kontakt\/\" target=\"_self\">\r\n                            <img decoding=\"async\" src=\"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/p.svg\" \r\n                    alt=\"\" loading=\"lazy\" \/>\r\n                            <\/a>\r\n            \r\n            <div class=\"flex flexgrid--gutter flex--wrap flex--middle\">\r\n                <div class=\"flex__item\">\r\n                    <div class=\"left\">\r\n                                                                                    <a href=\"https:\/\/www.privacy-advice.com\/kontakt\/\" target=\"_self\">\r\n                                                            <h2 class=\"gamma\">Haben Sie Fragen zu diesem Thema?<\/h2>\r\n                                                             <\/a>\r\n                                                       \r\n                        <p>Wir stehen Ihnen gerne zur Verf\u00fcgung und unterst\u00fctzen Sie und Ihr Unternehmen bei Fragen im Bereich Datenschutz.<\/p>\r\n                    <\/div>\r\n                <\/div>\r\n                <div class=\"right flex__item\">\r\n                                            <a href=\"https:\/\/www.privacy-advice.com\/kontakt\/\" target=\"_self\" class=\"btn btn--white\">\r\n                            Kontakt aufnehmen                        <\/a>\r\n                                    <\/div>\r\n            <\/div>\r\n        <\/div>\r\n    <\/div> \r\n\r\n\r\n<\/div>","protected":false},"excerpt":{"rendered":"<p>If a company commissions an external service provider to collect, process or use personal data, a written commissioned data processing agreement must be concluded. The German Federal Data Protection Act stipulates which provisions must be included in such a contract. The technical and organizational measures that the external service provider must take are particularly important. [&hellip;]<\/p>\n","protected":false},"parent":0,"template":"","class_list":["post-2097","aktuelles","type-aktuelles","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice\" \/>\n<meta property=\"og:description\" content=\"If a company commissions an external service provider to collect, process or use personal data, a written commissioned data processing agreement must be concluded. The German Federal Data Protection Act stipulates which provisions must be included in such a contract. The technical and organizational measures that the external service provider must take are particularly important. [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/\" \/>\n<meta property=\"og:site_name\" content=\"DPA Drewes Privacy Advice\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-26T15:23:37+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/news\\\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\\\/\",\"url\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/news\\\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\\\/\",\"name\":\"Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#website\"},\"datePublished\":\"2022-08-24T13:07:54+00:00\",\"dateModified\":\"2022-09-26T15:23:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/news\\\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/news\\\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/news\\\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.privacy-advice.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\\\/\\\/www.privacy-advice.com\\\/en\\\/news\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Commissioned data processing without a proper contract can be expensive\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/\",\"name\":\"DPA Drewes Privacy Advice\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#organization\",\"name\":\"DPA Drewes Privacy Advice GmbH\",\"url\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.privacy-advice.com\\\/wp-content\\\/uploads\\\/dpa-logo.svg\",\"contentUrl\":\"https:\\\/\\\/www.privacy-advice.com\\\/wp-content\\\/uploads\\\/dpa-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"DPA Drewes Privacy Advice GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.privacy-advice.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/","og_locale":"en_US","og_type":"article","og_title":"Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice","og_description":"If a company commissions an external service provider to collect, process or use personal data, a written commissioned data processing agreement must be concluded. The German Federal Data Protection Act stipulates which provisions must be included in such a contract. The technical and organizational measures that the external service provider must take are particularly important. [&hellip;]","og_url":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/","og_site_name":"DPA Drewes Privacy Advice","article_modified_time":"2022-09-26T15:23:37+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/","url":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/","name":"Commissioned data processing without a proper contract can be expensive &#8211; DPA Drewes Privacy Advice","isPartOf":{"@id":"https:\/\/www.privacy-advice.com\/de\/#website"},"datePublished":"2022-08-24T13:07:54+00:00","dateModified":"2022-09-26T15:23:37+00:00","breadcrumb":{"@id":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.privacy-advice.com\/de\/news\/auftragsdatenverarbeitung-ohne-richtigen-vertrag-kann-teuer-werden\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.privacy-advice.com\/en\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/www.privacy-advice.com\/en\/news\/"},{"@type":"ListItem","position":3,"name":"Commissioned data processing without a proper contract can be expensive"}]},{"@type":"WebSite","@id":"https:\/\/www.privacy-advice.com\/de\/#website","url":"https:\/\/www.privacy-advice.com\/de\/","name":"DPA Drewes Privacy Advice","description":"","publisher":{"@id":"https:\/\/www.privacy-advice.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.privacy-advice.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.privacy-advice.com\/de\/#organization","name":"DPA Drewes Privacy Advice GmbH","url":"https:\/\/www.privacy-advice.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.privacy-advice.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-logo.svg","contentUrl":"https:\/\/www.privacy-advice.com\/wp-content\/uploads\/dpa-logo.svg","width":1,"height":1,"caption":"DPA Drewes Privacy Advice GmbH"},"image":{"@id":"https:\/\/www.privacy-advice.com\/de\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/aktuelles\/2097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/aktuelles"}],"about":[{"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/types\/aktuelles"}],"version-history":[{"count":1,"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/aktuelles\/2097\/revisions"}],"predecessor-version":[{"id":2102,"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/aktuelles\/2097\/revisions\/2102"}],"wp:attachment":[{"href":"https:\/\/www.privacy-advice.com\/en\/wp-json\/wp\/v2\/media?parent=2097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}