Web hosting, web design, programming as order data processing

With every customer who has had websites programmed or provided on the Internet via TBA-Hamburg/-Berlin since 2018, often including. of its email accounts belonging to the domain, we conclude a commissioned data processing contract in accordance with the GDPR.

Since questions often arise in this context, we try to explain here what this contract is, why and what you need it for.

This article is not legal advice and is not a substitute for legal advice.

Here you can conveniently confirm your order data processing contract online.

What is at issue?

Since the new data protection law (GDPR), there are new rights and obligations for website operators. On the one hand, the website must be operated in a technically and contentwise data protection-compliant manner. And if you have commissioned an external service provider to make the website available on the Internet (web hosting), a commissioned data processing contract must be concluded with this provider.

FAQ commissioned data processing

Data processing (ADV) is the collection, processing or use of personal data (e.g. names, e-mail addresses, account data) by a processor in accordance with the instructions of the data controller on the basis of a contract.

The Art. 28 para. 3 GDPR specifies its minimum content requirements. Therefore, such a contract is quite extensive, even if in some cases only very few data are involved.

An application example

If a web user wishes to exercise his or her right to access and delete his or her data, he or she does not have to contact all possible companies and persons who have come into contact with his or her data during processing, but only one person named in the respective privacy policy. This person must then initiate further steps and it must be regulated who is bound by whose instructions in a network of companies and service providers.

So a customer enters his data into a web form to order e-mail news. Later, he wants to know exactly what data is stored. He or she contacts the person in charge, who is listed in the privacy policy, who contacts all other parties who have contact with the data, e.g. internal employees, the e-mail dispatch service provider, the web designer/administrator, the hosting provider... collects the information and sends it in bundles to the person asking the question. The order data processing contract regulates these details.

What was web hosting again?

To be able to present a website on the Internet, you need sufficient storage space and other functionalities on a computer (web server) connected to the Internet around the clock. The use of an own web server is complex and associated with high costs. Common practice is therefore for most business and private website operators to rent server space on an external web server for this purpose. This service is called web hosting and is offered by TBA-Berlin.

And is this commissioned data processing?

The answer: quite clearly! - Services of a website hoster, "such as receiving and archiving e-mails from customers or interested parties or contact form entries on the website on behalf, tracking the behaviour of website users on behalf etc. ... are to be classified as data processing on behalf ..." (BayLDA).

According to new case law, personal data that must be regulated even arise if you only provide the website on the Internet, because: IP addresses are personal data according to German BGH high court. At the latest with the e-mails, which are administered in most cases together with your website on our web server, it is crystal clear that personal data of you are administered here.

As a rule, web design also includes the handling of personal data. Example: A web designer is supposed to set up WordPress and gets the access data for the database, which also contains customer or user data. As soon as a service provider has a possibility (even purely theoretical) to access personal data, it must at least be examined in detail whether the rules on commissioned data processing are applicable.
Source: t3n.de

In case of doubt, we always conclude such a contract even if it is "only" about web design.

That depends. If, for example, a plugin for WordPress is written and delivered, which makes something colorful, and we do not get access to other data (e.g. certain server data, IP addresses) are probably not personal data affected. Counterexample: An online shop operator commissions a programmer with a software update, in the context of which the programmer has access to customer data. This is then clearly commissioned data processing.
Source: t3n.de

In case of doubt, we always conclude such a contract here as well.

In cooperation with us: Unfortunately no. - If in fact no usable commissioned data processing contract is concluded, the legal situation is clear: Ea service provider may not be used by the client without a corresponding contract if the processing is commissioned. And this is regularly the case with web design and especially web hosting.

Any cooperation that nevertheless takes place is unlawful; heavy fines are threatened and imposed. In addition, the client thereby violates his own duties of care. If damage occurs here, not only the company but also the management is liable - personally! Insurance will not cover obvious breaches of duty of this kind in case of doubt. So the risk should not be underestimated.
Source: activemind.com

The contract only regulates responsibilities in the handling of personal data. Costs are left out and signing this contract does not create an obligation to pay.

Of course, in reality, we incur a lot of costs in connection with this: the new EU data protection law means a considerable additional effort for everyone, including us. However, in order to keep the contract as clear and simple as possible, it does not talk about costs, but only refers to existing agreements for web hosting, programming, etc.

Of course, we will generally charge you for expenses incurred in the course of our work for you. However, this is not done on the basis of the commissioned data processing contract, but is discussed and agreed with you separately.

The contract is only needed as long as there is a common project (web design, web hosting, etc.). As soon as we no longer manage any personal data from you, a commissioned data processing contract is no longer required and can be terminated.


As soon as you produce your homepage via an external service provider (e.g. the TBA-Berlin) and/or put it online, or have your e-mails managed by the service provider, you need a contract for commissioned data processing (ADV contract) with this service provider. There are drastic fines if you fail to do so.

The TBA-Berlin has of course prepared order data processing contracts for all customers. Please contact us if you do not have a contract yet.

Reading Tips: