Lesson 4

Data processors - what must you consider?

What do I have to consider regarding data processors?

Not every external service provider who receives access to personal data from you is automatically a processor. There are in principle 3 possibilities of a “data processing relationship”: joint accountability, data processors, or transmission (function transfer). You only need a data processing contract in the case of a data processor relationship.

An example: You and your partner company that helps you with the monetization of your customer data or takes on parts of management are mutually responsible. Here, you both determine the means and purpose of data processing. On the other hand, a transmission of functions exists precisely when data processing as such only plays a minor role. This would be, for example, an external accounting firm or a security service. On the other hand, it is clear for a processor: they are acting under your explicit contract and, as the controller, you determine the purpose and means of data processing. You should then enter into a data processing agreement with them.

It is therefore best to make a list of providers with whom you exchange data. You should also check which form of “relationship” exists every time you transmit to a provider.

What should be done regarding processors?

A processing contract (often known as a data processing agreement) must additionally be closed with every third party provider. This is nothing more than a formal agreement between you and the third party regarding the GDPR compliant elicitation, processing and use of personal data.

If you use processors outside of the EU, for example in the USA, you may find that these do not offer a data processing agreement for your customers/partners. In this case, you should consider rethinking your choice of tools. This gives you the opportunity to optimize your internal processes whilst at the same time revising them in accordance with the GDPR.

Note: When working with a provider from a third country, check whether it is a safe or unsafe third country. Safe third countries are those which the EU considers to have adequate arrangements, or US companies who can produce a Privacy Shield certificate. If this isn’t the case, it can be considered to be an unsafe third country. You then require an EU-specified contract model, also known as the “model clause” contract.

You can find more details here:


​You can continue working with these providers:

We contacted third party providers who are often used by our vendors and affiliates and received answers from the following providers (as of 01.10.2018).

A data processing agreement is offered. https://capsulecrm.com/dpa/.

A data processing agreement is offered. This can be activated in your account.

No agreement is necessary as it is a plugin. This is installed directly on the customer server and no data is therefore sent to DigiMember.

The data processing agreement can be entered into directly in your account.

Klick-Tipp has been offering such agreements for a long time and should be the first choice for anyone wanting to operate data protection-compliant email marketing. Since the majority of the Klick-Tipp team is based in the EU, they are always up to date on the subject of GDPR compliance. They have always been the front runners regarding GDPR and drew attention to GDPR, which has existed since 2016, years ago.

The data processing agreement can be entered into directly in your account.

A data processing agreement can be entered into via the following link: https://swissmademarketing.com/data-processing-agreement/.

A data processing agreement can be entered directly in your account.

No agreement is necessary as it is a plugin. This is installed directly on the customer server and no data is therefore sent to Wishlist.

Zapier offers a common data processing agreement. This can be found here: https://zapier.typeform.com/to/TcS4pD

If any of the tools you use have not be listed here, please contact the third-party provider directly. They can give you information regarding whether or not a data processing agreement can be entered into.

In chapter 8, you can find a checklist to keep track of your third-party suppliers in our processing directory template.


Klick-Tipp or Gorilla CRM are typical processors. As a reseller, Digistore24 is not a processor. Digistore24 gives you customer details after the sale, so that you as a vendor fulfill the purchasing contract. Therefore, it is not necessary to enter into a data processing agreement with Digistore24.

We’ve made a specific chapter which directly answers all important questions.

←To lesson 3

To lesson 5→

Overview Lectures

Switch quickly and easily to all lessons of the course.

Course Overview
Lesson 1 GDPR basics - definitions
Lesson 2 Data protection
Lesson 3 Data protection declaration
Lesson 5 Email marketing
Lesson 6 Lead magnets & coupling prohibition
Lesson 7 GDPR compliant tracking
Lesson 8 Internal handling of data
Lesson 9 Information request
Lesson 10 GDPR and Digistore24

We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness. 

www.digistore24.com | Impressum | Privacy policy

English | German

Made with Coachannel Badge