Model Order Processing Contract for the health care industry, adapted to meet the GDPR

Five associations in the health care sector were requested to adapt existing data processing recommendations to ensure compliance with current legal requirements amended by the EU General Data Protection Regulation. A document explaining the requirements when dealing with existing data processing contracts was also compiled.

With the promulgation of the European General Data Protection Regulation (GDPR) on 24 May 2016, and the date of entering into force set at 25 May 2018, the GDPR provisions will become directly applicable to order processing (AV) in Germany after this date. They will supersede national order data processing provisions.

The requirements for content relevant to data protection in order processing contracts (AV contracts) were also defined within the GDPR framework. These are largely in agreement with current German legislation, although some differences will need to be taken into account when concluding future contracts. Apart from conceptual changes, requirements for obligation to secrecy, for suitable technical and organisational measures and for client support (new “responsible person”) by the contractor (new “order processor”) will, for instance, be changed or specified.

“The GDPR provisions will be applicable not only to future contracts but also to all existing and effective contracts. This means that the various health institutions such as doctor’s surgeries and hospitals should examine and, if necessary, amend contracts they concluded with service providers for compliance with the GDPR requirements. Service providers will in this context be the owners of such data and should realise that they could be held fully liable in case of non-compliance with data protection standards. This is why we met with the DKG [German Hospital Society], BvD, GMDS [German Society for Medical Documentation, Information and Statistics] and GDD [Society for Data Protection and Data Security] to develop a concept for supporting our customers”, explains Katrin Keller, Board member responsible for data protection and IT security at the bvitg [German Association of Health IT Vendors].

The associations developed a narrated model AV contract for their comprehensive study, to address specifically the special interests of the health sector: “The model contract will assist data protection officers of all involved companies – be it doctor’s surgeries, hospitals or IT producers – to ensure legally compliant data processing”, explains Nikolaus Schrenk, BvD Board member.

DKG CEO Georg Baum welcomes the jointly developed document: “This is an important step towards implementation of the EU General Data Protection Regulation”, says Baum. The updated model contract was very useful to hospitals needing to implement the secure and practical data protection required by the health sector.

Bundesverband Gesundheits-IT – bvitg e. V
Taubenstraße 23 10117 Berlin
Tel.: 030 206 22 58-20
Fax: 030 206 22 58-69
V.i.S.d.P. [responsible in the sense of the German Press Law]: Sebastian Zilch, Managing Director

Press contact person:
Natalie Gladkov
E-mail: Tel.: 030 / 206 22 58-18

Holger Mages
Press office of the German Hospital Federation E-mail:
Tel.: 030 / 39 801-1021

Barbara Stöferle, BvD Medical Working Group, E-mail: Tel.: 030/26367760