Processor Agreement (PA)


If personal data are processed by a service provider on behalf of a third party and in accordance with instructions, this is considered as commissioned processing. In this case, a processing agreement (PA) must be concluded.

The client is still legally responsible for the personal data and how it is handled. He must select the contractors with due care and regularly review their activities.



  • Commissioned processing is when data is processed on behalf of a contractor in accordance with instructions.
  • Examples of commissioned processing are service providers such as payroll offices and document shredders as well as outsourcing solutions such as SaaS and hosting providers.
  • If a commissioned processing relationship exists, a processing agreement (PA) must be concluded pursuant to Art. 28 (3) GDPR or Art. 9 nDSG.
    The PA defines, among other things, the subject matter, type and purpose of the processing as well as the respective rights and obligations of the client and contractor.
  • According to the GDPR, the obligation to carefully select a processor applies.
  • If data is transferred to third countries during commissioned processing, the legal basis for such a transfer must be examined.


According to this definition, fccDataPrivacy is subject to the regulations on commissioned processing.