Frequently, companies have no (economic) interest in maintaining their own IT department with the appropriate qualified personnel. Therefore, these services are often assigned to external service providers who take care of maintaining the entire IT structure, including servers, computers, printers, fax machines and telephone systems.
In the case of on-site installations or remote maintenance support, IT service providers regularly gain access to personal data or at least are able to perceive it. This is sufficient to process data according to the General Data Protection Regulation (GDPR). As this process is a so-called processing pursuant to Art. 28 GDPR, a separate contract for processing must be concluded before the service provider is assigned. This contract is binding for both parties as otherwise the processing is carried out unlawfully and may result in a fine.
As with any contract, it is important to check carefully which agreements can be made. Depending on whether you are the controller or processor of a processing, various aspects are particularly relevant and must be clarified in advance. You cannot and are not allowed to simply sign a contract that has not been reviewed beforehand. MORGENSTERN creates a system for a formalised processing including contract review and documentation for IT service providers and supports them in all questions relating to privacy and IT security.