Order processing according to GDPR article 28

Article 28 of the General Data Protection Regulation (GDPR) legally defines the order processing of data. As soon as there is an order processing relationship according to Art. 28 and external service providers have the opportunity to access personal data, a legal basis must be created by means of a data processing agreement. As the world's leading expert on GDPR in the Atlassian ecosystem, we provide you with a complete toolkit to become fully GDPR-compliant in a simple and fast way.

GDPR article 28: order processing explained

Article 28 of the General Data Protection Regulation (GDPR) legally defines the order processing of data. But what exactly does that mean? Order processing comes into play whenever a company is commissioned to process personal data. The commissioned company then acts as a processor, which according to Art. 4, No. 7 can be both natural and legal persons or authorities.

Examples of order processing:

• External payroll

• Remote maintenance or external IT support

• Cloud providers

• Web hosts

• External accounting

• Call center for customer calls

As soon as there is an order processing relationship according to Art. 28 and external service providers have the opportunity to access personal data, a legal basis must be created. By means of a contract between the person responsible and the processor, the corresponding legal framework conditions are laid down, which must be observed when handling this personal data. The data processing agreement (DPA) defines, among other things, the rights and obligations of both parties, and the purpose of data processing.

What must be included in a DPA?

It is important that a data processing agreement is concluded before the actual order processing to fulfil all legal bases. Since the responsibilities must be clearly defined in the event of a conflict between the parties, it is important to draw up a DPA in a correspondingly clear and legally compliant manner.

What must be included in a DPA according to GDPR article 28:

• Subject of the processing order (description of the activity of the processor)

• Purpose of the processing (admissibility of the intended data processing)

• Rights and obligations of the contractor/client

• Duration of the contract

• Confidentiality obligation (compliance with confidentiality when processing data)

After the processing has been specified in writing or electronically, the client must regularly check compliance with the order processing contract and takes responsibility for compliance with data protection regulations. Failure to comply can result in hefty penalties of up to 20 million euros or 4 percent of annual sales! In order to avoid this and to comply with the GDPR, the customer must also ensure that the privacy policy on the website lists who further processes user data.

Data security in the Atlassian ecosystem

The factors mentioned above play an important role, especially when dealing with Cloud services, since this is often the starting point for order processing. Common GDPR regulations must also be observed when using Jira and Confluence, which is often overlooked.

As the world’s leading expert on GDPR in the Atlassian ecosystem, we provide you with a complete toolkit to become fully GDPR-compliant in a simple and fast way. Use the GDPR (DSGVO) and Security for Jira und GDPR (DSGVO) for Confluence apps, to create notifications, obtain consent, anonymize personal user data, set rules for automation, access statistics and much more – all that you need to protect yourself with regard to the General Data Protection Regulation.

Test our tools for 30 days free of charge on the Marketplace, and your Jira and Confluence instances will become GDPR-compliant in no time.

You can trust our data processing – try it yourself!