Lesson 4

Data processors - what must you consider?

Your progress: 30%

What do I have to consider regarding data processors?

Not every external service provider who receives access to personal data from you is automatically a processor. There are in principle 3 possibilities of a “data processing relationship”: joint accountability, data processors, or transmission (function transfer). You only need a data processing contract in the case of a data processor relationship.

An example: You and your partner company that helps you with the monetization of your customer data or takes on parts of management are mutually responsible. Here, you both determine the means and purpose of data processing. On the other hand, a transmission of functions exists precisely when data processing as such only plays a minor role. This would be, for example, an external accounting firm or a security service. On the other hand, it is clear for a processor: they are acting under your explicit contract and, as the controller, you determine the purpose and means of data processing. You should then enter into a data processing agreement with them.

It is therefore best to make a list of providers with whom you exchange data. You should also check which form of “relationship” exists every time you transmit to a provider.

What should be done regarding processors?

A processing contract (often known as a data processing agreement) must additionally be closed with every third party provider. This is nothing more than a formal agreement between you and the third party regarding the GDPR compliant elicitation, processing and use of personal data.
If you use processors outside of the EU, for example in the USA, you may find that these do not offer a data processing agreement for your customers/partners. In this case, you should consider rethinking your choice of tools. This gives you the opportunity to optimize your internal processes whilst at the same time revising them in accordance with the GDPR.

Note: When working with a provider from a third country, check whether it is a safe or unsafe third country. Safe third countries are those which the EU considers to have adequate arrangements, or US companies who can produce a Privacy Shield certificate. If this isn’t the case, it can be considered to be an unsafe third country. You then require an EU-specified contract model, also known as the “model clause” contract.

You can find more details here:


You can continue working with these providers:

We contacted third party providers who are often used by our vendors and affiliates and received answers from the following providers (as of 01.10.2018).

Capsule CRM








Wishlist Membership


If any of the tools you use have not be listed here, please contact the third-party provider directly. They can give you information regarding whether or not a data processing agreement can be entered into.

In chapter 8, you can find a checklist to keep track of your third-party suppliers in our processing directory template. 


Klick-Tipp or Gorilla CRM are typical processors. As a reseller, Digistore24 is not a processor. Digistore24 gives you customer details after the sale, so that you as a vendor fulfill the purchasing contract. Therefore, it is not necessary to enter into a data processing agreement with Digistore24. We’ve made a specific chapter which directly answers all important questions.

Wir möchten ausdrücklich darauf hinweisen, dass dieser Online-Kurs keinesfalls eine Rechtsberatung durch einen Fachanwalt ersetzt und auch keinen Anspruch auf Richtigkeit oder Vollständigkeit hat.

www.digistore24.com | Impressum | Datenschutzerklärung