What is commissioned data processing?

Contract data processing (CDP) refers to the processing of personal data by an external service provider on behalf of a company. Since the GDPR came into force, the term order processing (ODP) is now usually used. The legal basis can be found in Art. 28 GDPR.

In concrete terms, this means that a company that collects data from customers, employees or suppliers can outsource this processing to a specialized service provider. However, this processor may not use the data for its own purposes, but only in accordance with the specifications of the company that is considered the controller. This ensures that personal data is protected even if it is not processed directly within the company itself.

Whitepaper ERP vendor selection: Get the most out of your ERP workshops

Free Whitepaper

There are countless ERP providers. Read on to find out what you need to look out for when making your choice.
Request now for free

Order data processing in the ERP context

Im Zusammenhang mit ERP-Systemen (Enterprise Resource Planning) spielt die Auftragsverarbeitung eine besonders wichtige Rolle. Immer dann, wenn ein ERP-System nicht lokal auf den Servern des Unternehmens installiert ist, sondern als Cloud- oder SaaS-Lösung genutzt wird, verarbeitet der ERP-Anbieter oder ein externer IT-Dienstleister personenbezogene Daten im Auftrag des Unternehmens, wie zum Beispiel:

  • Customer data and supplier information in merchandise management
  • Employee data in HR or payroll accounting modules
  • Financial and accounting data in accounting
  • Project data with personal references in project management modules

As all of this data is often business-critical and sensitive, it is imperative that a data processing agreement is in place. (AVV) must be concluded. This regulates the conditions under which the ERP provider or IT service provider processes the data on behalf of the company.

SME example: A medium-sized production company opts for a cloud ERP. Customer data, parts lists and supplier information are no longer stored locally, but processed on the ERP provider’s servers. In this case, the company must conclude a DPA with the provider that regulates exactly how the customer data is handled and which security measures apply.

Group example: An international group uses an ERP system that is used by various locations worldwide. In addition to the central data processing in financial accounting, HR data from several countries is also affected. Not only does the DPA with the ERP provider play a role here, but also the integration and auditing of numerous subcontractors and data centers.

Obligations of the client

Even if the actual processing is carried out by a service provider, the company itself remains responsible for compliance with data protection regulations. The GDPR clearly assigns the main responsibility to the client. Typical obligations are:

  • Careful selection of the ERP provider or IT service provider: Before a contract is concluded, it must be checked whether the provider implements the technical and organizational measures necessary to protect the data.
  • Conclusion of a DPA: Without this contract, processing is not permitted by law. The DPA forms the basis for any form of commissioned data processing.
  • Monitoring and documentation obligations: The company must regularly check whether the provider is complying with the agreed measures and document this. Audits and evidence are standard here.
  • Checking subcontractors: Many ERP providers work with hosting or cloud providers. These must also be contractually recorded and checked.

Example: A company uses a cloud ERP that is operated on the servers of a large hyperscaler (e.g. AWS or Azure). The company must not only conclude a DPA with the ERP provider, but also ensure that the provider has properly integrated its own subcontractors.

Data processing agreement (DPA)

A DPA is the central document that regulates the cooperation between the client and the processor. It bindingly defines which data may be processed, how, for what purpose and under which security standards. A DPA must contain the following points, among others:

  • Purpose and duration of processing: What data is processed and for how long?
  • Type and purpose of processing: For example, payroll accounting, CRM or financial accounting.
  • Categories of data subjects: Customers, employees, suppliers or business partners.
  • Rights and obligations of the controller: What control rights does the company have, how is the cooperation organized?
  • Technical and organizational measures (TOMs): What security measures does the provider implement (e.g. encryption, access controls)?
  • Regulations on sub-processors: May the ERP provider use other service providers and, if so, under what conditions?

While a written contract was mandatory under the old Federal Data Protection Act (BDSG), the GDPR now also permits a digital form, for example by electronic signature.

Changes due to the GDPR

The GDPR has introduced some significant innovations compared to the old BDSG:

Shared responsibility of processors: Unlike in the past, service providers themselves are also responsible for compliance with data protection regulations. They can be held liable in the event of breaches.

Joint control: If several parties jointly decide on the purpose and means of data processing, this is referred to as joint responsibility. In this case, all parties involved are contact persons for data subjects.

The obligation to follow instructions remains in place: Even under the GDPR, the service provider may only process the data in accordance with the company’s instructions. If they make unauthorized decisions, they themselves become the controller – with all the legal consequences.

Example for the ERP context: The joint use of a cloud ERP by a parent company and its subsidiary. Both parties jointly determine which data is processed, what access rights exist and for what purposes the processing takes place. In such cases, this is referred to as joint control, and a clear contractual arrangement is crucial in order to clearly define responsibilities.

Legal notice:

The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, currency or completeness of the journalistic guides and information provided on this website.

The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.

Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.

Whitepaper ERP vendor selection: Get the most out of your ERP workshops

Free Whitepaper

There are countless ERP providers. Read on to find out what you need to look out for when making your choice.
Request now for free

FAQ on order data processing (ADV):

What is order data processing (ADV)?

Processing of personal data by an external service provider on behalf of a company. With the GDPR, the term “order processing (AV)” is usually used.

When is an AVV with an ERP provider necessary?

Whenever personal data is processed by the ERP provider or its subcontractors, for example with cloud ERP or SaaS solutions.

Who is the controller and who is the processor?

The company using the ERP is the controller. The ERP provider or a supervising IT service provider is the processor.

What data is typically generated in ERP order processing?

Customer data, employee data, supplier information, financial and accounting data or project data.

What happens without AVV?

Without a valid DPA, processing is unlawful. Companies not only risk high fines, but also a loss of trust from customers and business partners.