Order processing contract according to Art. 28 GDPR: submission and obligations
An AVV template is more than a form. It is documented proof that you, as the controller, have your processors under control. This article explains mandatory components according to Art. 28 GDPR and shows the way to audit-proof documentation.
Art. 28 Paragraph 3 GDPR requires a written or electronic contract as soon as a person responsible has personal data processed by a service provider. Without this order processing agreement (AVV), the transfer is unlawful and the person responsible is liable for damages in accordance with Art. 82 GDPR. Supervisory authorities check the existence, the depth of the content and the adaptation to the specific processing. A generic template from the Internet is rarely sufficient for an audit because it does not reflect the technical and organisational measures (TOM) and ignores the specific subcontractor chains. The Data Protection Conference has emphasised in several short papers that a blanket clause without reference to the specific service does not meet the requirements of Art. 28 GDPR.
This article explains which mandatory components an AVV must contain in accordance with Art. 28 Paragraph 3 GDPR, which clauses make sense beyond the mandatory program and how you can prove the contractual situation with each service provider at any time. You will learn how templates, appointment certificates from the data protection officer and TOM lists can be brought together in an auditable file, and which traps are particularly common with cloud providers, subcontractors and third-country transfers. CIVAC operates this file as a compliance platform and officer-as-a-service, so that the appointment certificate is signed, filed and verifiable when the regulator calls.
Key Takeaways
- An AVV according to Art. 28 Para. 3 GDPR requires ten mandatory components, including subject matter, duration, TOM and sub-processor regulation.
- Generic online templates fail in audits because they do not reflect the specific technical and organisational measures.
- The appointment certificate, AVV register and TOM list belong in a central, versioned file that is kept by the external data protection officer.
When you need an AVV and when you don't
An order processing contract is always required when a service provider processes personal data on behalf of the person responsible. Art. 4 No. 8 GDPR defines the processor as a natural or legal person who processes data on behalf of the controller. Typical constellations include cloud hosting, newsletter distribution, payroll accounting, external IT support, CRM systems, cookie banner providers, marketing automation, helpdesk software and telephony services. An external data protection officer himself is also not data processing because he acts as a consultant in accordance with Art. 39 GDPR. This also does not include the external auditor who audits within his own scope of duties in accordance with Section 316 of the German Commercial Code (HGB).
No order processing occurs if the third party pursues its own purposes. Persons subject to professional secrecy such as tax advisors, lawyers or auditors act on their own responsibility; a confidentiality regulation is sufficient here. Pure maintenance contracts without data access are also excluded, as are banks or payment service providers that fulfil their own obligations under the KWG and ZAG. Tracking services in which the provider also uses the data for their own purposes are in the gray area. Here, joint responsibility according to Art. 26 GDPR is usually relevant, not Art. 28. This requires a different type of contract, namely a joint controller agreement.
The obligation to provide documentation applies from the first data record processed. Supervisory authorities in Bavaria, Baden-Württemberg and North Rhine-Westphalia regularly use random cross-sectional procedures to check whether those responsible have an effective AVV for all external service providers. Anyone who cannot present a contract loses the privilege of Article 28 GDPR and treats each transmission as independent processing with its own legal basis. This is not regularly possible. A clean AVV situation is therefore not a bureaucratic obligation, but the basis of every outsourcing in the area of personal data. Anyone who has appointed an external data protection officer has this question checked routinely and processed when onboarding new service providers.
The ten mandatory components according to Art. 28 Para. 3 GDPR
Art. 28 Paragraph 3 GDPR lists the minimum contents of an AVV in ten points. First, the subject and duration of the processing. Secondly, nature and purpose of processing. Thirdly, the type of personal data, including whether special categories under Article 9 GDPR (health data, biometric data, trade union membership) are processed. Fourth, the categories of data subjects (employees, customers, suppliers, applicants). Fifth, the duties and rights of the controller. These five points form the descriptive part and must reflect the concrete performance, not an abstract formula.
Sixth, adherence to instructions: The processor processes data exclusively on documented instructions from the person responsible. Seventh, confidentiality: Persons authorised to process must undertake confidentiality or be subject to a duty of confidentiality. Eighth, technical and organisational measures according to Art. 32 GDPR: These must be described specifically, not abstractly. Ninth, sub-processors: general or specific written authorisation, plus the obligation to pass on the same data protection obligations to the sub-processor. Tenth, support for the controller with data subject rights in accordance with Articles 12 to 22 of the GDPR, with security in accordance with Articles 32 to 36 of the GDPR and with data protection impact assessments in accordance with Article 35 of the GDPR.
In addition, there is the obligation to return or delete the data after the end of processing as well as the controller's right to audit, which includes the provision of information, inspections and audits. In practice, the audit right is often substituted by accepted certificates such as ISO/IEC 27001:2022 or industry-specific audit reports (SOC 2 Type II, BSI C5). Important: The template must contain all ten points and be specified for specific processing. In the opinion of several supervisory authorities, a blanket clause “TOM in accordance with GDPR” is not sufficient. It is recommended to use a table in which each of the ten mandatory points is linked to a specific contract section so that the auditor can verify completeness within minutes.
Clearly document technical and organisational measures (TOM).
The TOM is the most common vulnerability in AVV templates. Art. 32 GDPR requires a level of protection appropriate to the risk and names pseudonymization, encryption, confidentiality, integrity, availability and resilience as protection goals. A test-proof TOM system must translate these protection goals into concrete measures. These include access control (factory security, locking system, visitor registration), access control (authentication, password policy, two-factor authentication), access control (authorisation management, need-to-know principle, regular recertification), separation control (client separation, test environments without real data), transfer control (transport encryption TLS 1.2 or higher, VPN, secure email) and input control (logging, audit logs, storage of logs according to deletion concept).
For cloud services, the list is supplemented by availability control (recovery point objective, recovery time objective, backup concept, disaster recovery tests) and order control (subcontractor list, compliance with instructions, escalation paths). Those responsible should not blindly adopt the processor's TOM system, but rather check it for plausibility. A TOM list that makes the same statement for a cloud data centre as for a tax office with five employees is a warning signal. ISO/IEC 27001:2022 with its 93 controls provides a recognised frame of reference that is regularly accepted in audits, as do the BSI-IT-Grundschutz modules in the 2023 edition.
Practical tip: Request a TOM system that is structured according to the protection objectives of the GDPR and supplement it with the EU data residency (storage location, backup location, support access). third countries). For third country transfers, you also need standard contractual clauses in accordance with Implementing Decision 2021/914/EU and a Transfer Impact Assessment (TIA). Anyone who stores the TOM list in version form in the Compliance Workspace can export the respective contractual basis for any service provider as a PDF at any time and present it in the supervisory procedure within minutes. Others run compliance like a filing cabinet. We run it like software. In the mandate of the external data protection officer, this maintenance is part of the monthly routine, so that the contractual situation is not only refreshed during the audit stress, but remains permanently auditable.
Sub-processors and the chain of responsibility
According to Article 28 Para. 2 GDPR, processors may only use additional processors (subcontractors) with the prior written consent of the person responsible. In practice, a general approval is usually granted, coupled with an obligation to provide information in the event of a change and a right of objection for the person responsible. This clause is not trivial: cloud providers such as Microsoft, Google and Amazon Web Services maintain dozens of sub-processors worldwide. A list that changes quarterly must be monitored so that objection rights can be exercised in a timely manner. The deadlines are often 30 days from the date of information.
The main processor is liable to the controller for the breaches of duty of its sub-processors as well as for its own. He must impose the same data protection obligations on them, in particular the TOM according to Art. 32 GDPR. Those responsible should regularly request the subcontractor list and compare it with their AVV register. A useful practice is the semi-annual sample of critical service providers, such as the primary cloud provider, the CRM host and the email security service. Samples should be documented and included in the register of processing activities.
The situation becomes complex when it comes to third country transfers within the subcontractor chain. If a German SaaS company uses Google Cloud and Google in turn uses subcontractors in the USA, India and Singapore, the legality depends on the standard contractual clauses and the EU-US Data Privacy Framework. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Data Protection Conference have pointed out in several resolutions that the privilege model of Article 28 GDPR does not replace the obligation to check third countries. Anyone who commissions an external data protection officer has the subcontractor chains of the most important service providers audited annually and the TIA documentation updated. The appointment certificate, signed, filed, verifiable. For US providers, it is also recommended to take a look at the Cloud Act Risk Assessment, which assesses the theoretical reach of US authorities to data stored in the EU.
AVV register: central file instead of scattered Word files
The obligation to keep a record of processing activities in accordance with Art. 30 GDPR is well known. What is less known is that a parallel AVV register is actually mandatory as soon as order processing takes place. During inspections, supervisory authorities require a list of all processors with contract date, contract status, TOM version, subcontractor list and risk classification. Scattered storage in Outlook mailboxes, Sharepoint folders and contract folders cannot be audited in the event of an audit. In the worst case, the signed AVV is missing because it was sent as an attachment in an email conversation and was never transferred to the contract file.
An effective AVV register records at least nine fields for each service provider: company name, location, service, contract date, contract version, TOM version, subcontractor list, third country reference and risk class (low, medium, high). There are also resubmission deadlines for TOM updates and subcontractor changes as well as a field for the contact person at the service provider with their email address and telephone number. If you keep the register as a table, you should link the cells to the respective PDF contracts so that the complete contract file can be accessed with two clicks. A column for the last audit date completes the table.
For medium-sized companies with 30 to 80 service providers, manual maintenance becomes a full-time task. A compliance platform takes care of this by versioning contracts, maintaining TOM lists with change history and automatically triggering follow-ups. CIVAC provides data protection officers with a workspace with 490 ready-to-use audit templates, including AVV sample texts, TOM attachments and subcontractor registers. The EU data residency is active by default, so that no data flows to third countries. Licence the workspace for your internal representatives, or have our representatives order it. The auditor calls, the evidence is ready. The SLA response time of two business days for AVV updates and new onboardings replaces the classic waiting time of two to six weeks that is common in many consulting mandates.
Implement audit law practically without overburdening the processor
The audit right according to Article 28 Paragraph 3 Letter h GDPR is a double-edged sword. Theoretically, any controller is allowed to inspect any processor on site at any time. In practice, a hyperscaler would receive thousands of on-site audits per year. The solution lies in a tiered model: By default, the person responsible accepts independent audit reports and certificates, such as ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II or the BSI C5 certificate. A separate audit is only carried out if there is a justified reason (data breach, notice from the supervisory authority, significant contractual change). This model is also recognised in the European Data Protection Board's information paper on order processing.
The AVV clause should explicitly describe the phased model: firstly, the right to provide audit reports, secondly, the right to written information, thirdly, the right to an on-site audit after advance notice of at least four weeks, and fourthly, a special right of termination in the event of refusal. It is important to clarify the question of costs: who bears travel costs, auditor's fees, and the processor's expenses? In practice, routine costs are borne by the person responsible, and event-related audits following a breach by the processor are borne by the person responsible. It makes sense to put a cap on the annual audit effort, around two person-days for the processor without any costs.
Document maintenance is crucial for the person responsible. Every audit certificate received belongs in the contract file with the date of issue, validity and scope. An ISO/IEC 27001:2022 certificate that does not cover the service relevant to you is worthless. Pay attention to the Statement of Applicability (SoA) and the scope. For representatives who work in the Information Security Officer workspace, the certificate situation is monitored centrally and follow-ups are triggered automatically. This is how the audit right becomes effective in practice and not just in theory. Audit-proof, documented, Art. 28-firm.
Template Traps: What a free template doesn’t do
Free AVV templates from the Internet usually only cover the mandatory part that applies to generic processing. Three typical gaps: First, the TOM system is a list of generalities with no connection to specific performance. Secondly, the subcontractor regulation contains no mechanism for switching and no right of objection. Thirdly, the clause regarding data return or deletion after the end of the contract is unclear, especially in the case of backup stocks that continue to exist for weeks or months after the deletion order. A verifiable clause specifies deletion periods for primary data and backups separately.
Another trap: the language of the contract. For service providers based outside the EU, AVVs are often only offered in English. This is legally permissible, but is problematic in the audit because supervisory authorities can require a German or at least a certified translation. For critical processing, the AVV should be available in two languages or with a certified translation. In disputes before German courts, the German language version is usually authoritative, which can lead to problems of interpretation if the language is purely English.
The liability clause is also often overlooked. Standard AVVs of the processors regularly contain liability limitations, which can be ineffective according to Section 309 No. 7 BGB if they exclude intent or gross negligence. Those responsible should delete these clauses or replace them with a balanced regulation. Finally, many templates lack an explicit regulation on the obligation to report data breaches: the processor must inform the person responsible immediately, usually within 24 hours, so that the data controller can comply with the 72-hour deadline in accordance with Article 33 of the GDPR. Deadline begins as soon as we become aware of it. Anyone who formulates this inaccurately will lose hours in an emergency and may miss the reporting deadline, which can be punished with fines of up to 10 million euros according to Art. 83 Para. 4 GDPR.
Interfaces to the NIS 2 Implementation Act and ISO 27001
Since the NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), around 29,500 companies in Germany are obliged to systematically manage supplier risks (§ 30 BSIG draft). Order processing is part of this supply chain management. Anyone who maintains AVVs for their cloud services, IT service providers and SaaS providers has already provided a significant portion of the NIS 2 supplier documentation. However, NIS-2 also requires a risk analysis per supplier and a documented restart concept in the event of failure, as well as a concept for the orderly termination of the business relationship.
The bridge to ISO/IEC 27001:2022 runs via Control 5.19 (Information Security in Supplier Relationships), Control 5.20 (Addressing Information Security in Supplier Agreements) and Control 5.21 (Managing Information Security in the ICT Supply Chain). Anyone who operates a certified ISMS according to ISO/IEC 27001:2022 has already created the structures for AVV management: supplier register, risk classification, audit plan, resubmission deadlines. The transition period to ISO/IEC 27001:2022 runs until October 2026, after which audits will only be carried out according to the new version. Anyone who delays the change will lose the certificate status and thus the contractual proof to customers, supervisory authorities and clients.
A sensible consolidation brings together three views: firstly the GDPR view (AVV register according to Art. 28), secondly the NIS 2 view (supplier register according to § 30 BSIG-E), thirdly the ISO 27001 view (Supplier Inventory according to Control 5.19). In practice it is the same data set with different filters. CIVAC merges these three views into a single file so that officers with three different roles (DPO, ISB, NIS-2 officer) access the same source. See the article on NIS 2 implementation in Germany. Multiple capture is not fate, but a tool issue and a result of clean data modelling. Anyone who consolidates early saves several days of preparation work for the next wave of audits.
From the AVV register to the compliance platform: The CIVAC approach
An AVV is not a paper, but a promise that must be proven in an emergency. CIVAC is a compliance platform and officer-as-a-service that takes on this evidence function. All contracts are versioned in the workspace, every TOM system is linked to the contract, every subcontractor has its own data set with third country marking and risk class. Resubmissions for TOM updates, certificate extensions and audit plans run automatically. The EU data residency is active by default, so that the platform itself does not trigger third country transfers.
Licence the workspace for your internal representatives, or have our representatives order it. The appointment certificate for the external data protection officer will be issued within two working days (instead of the usual two to six weeks). It is signed, filed and linked to management via the reporting line. In the event of a data breach, the 72-hour reporting path is prepared in accordance with Art. 33 GDPR, and the AVV register immediately shows which processors are affected. The notification texts for the supervisory authority are available as a template.
Anyone who only checks the AVV inventory during the audit has lost. Anyone who keeps it in an auditable file with a reporting line gains two working days of response time and significantly reduces the risk of fines in accordance with Art. 83 GDPR. Turn reading into a mandate.: Write to info@civac.de or use the contact form on civac.de to initiate the appointment of an external data protection officer or the licensing of the workspace. We will send you a sample folder with AVV template, TOM system and subcontractor register, tailored to your industry and depth of processing. A 30-minute initial consultation on the specific contractual situation of your five most important service providers is part of the initial contact. Others run compliance like a filing cabinet. We run it like software.
FAQ
Do I need an AVV with my tax advisor?
No. Tax advisors act under their own responsibility in accordance with Section 11 StBerG and are bound by professional secrecy in accordance with Section 203 StGB. They are not processors within the meaning of Art. 28 GDPR. An additional confidentiality declaration is not necessary because the professional obligation of confidentiality applies. The same applies to lawyers, auditors and notaries.
Is an online template sufficient for our cloud provider?
Just as a starting point. Cloud providers such as Microsoft, AWS or Google offer their own AVV annexes (Data Processing Addendum), which are usually legally secure, but contain third country clauses, subcontractor lists and standard contractual clauses that must be checked. A generic online template without adaptation to the specific service generally does not comply with Art. 28 Para. 3 GDPR.
Who bears the costs of an audit of the processor?
Routine audits are carried out by the person responsible, and event-related audits following a breach by the processor are carried out by the person responsible. In practice, those responsible accept independent audit reports such as ISO/IEC 27001:2022 or SOC 2 Type II as a substitute for on-site audits. On-site audits are only carried out if there is a justified reason, such as after a data breach or a tip from the supervisory authority.
What happens if the processor does not sign the AVV?
Without an effective AVV, the transmission of personal data to the service provider is unlawful. The person responsible is liable for damages according to Art. 82 GDPR and can risk a fine according to Art. 83 Para. 4 GDPR of up to 10 million euros or two percent of the group's annual turnover. In practice, the commissioning should be linked to the effective signing of the AVV and no data access should take place before the contract is concluded.
How often do I have to update the TOM system?
At least annually, and immediately in the event of significant changes to processing, infrastructure or security situation. Anyone who operates an ISMS according to ISO/IEC 27001:2022 checks TOM as part of the management review and internal audits. A TOM system that has remained unchanged since the contract was signed three years ago is a red flag to any regulator and should be checked immediately.
What must be included in the AVV for third country transfers?
For processing operations outside the EU or EEA, the AVV requires a reference to the standard contractual clauses (implementation decision 2021/914/EU) or an adequacy decision by the EU Commission. In addition, a Transfer Impact Assessment (TIA) must be carried out, which assesses the risks in the third country. The EU-US Data Privacy Framework applies to the USA, provided the recipient is certified.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.