The idea of commissioned data processing is to ensure that personal data is processed in a compliant and safe way when it is collected by or transferred to a service provider such as a marketing agency or a cloud storage platform. If a valid commissioned data processing agreement is in place, the so-called controller – the company that defines the purposes and essential means of the data processing – and their processor (the ones who act as service providers and act based on instructions from the controllers) may echange personal data without the need of a legal basis for the data transfer such as the data subject's consent.

The law requires a "contract or other legal act [...] that is binding on the processor with regard to the controller [...]". While the law emphasises the obligation of the processor, a document with signatures of both parties is recommendable for the purpose of evidence.

The requirement addresses both the controller and the processor which is why large service providers often have their own template for their customers in place. Without an agreement, the processor would legally be considered as a controller and would have ensure compliance of the data processing activity it carries out by themself.

The commissioned data processing agreement has to be concluded before the start of the data processing activity. Starting with the processing of data before a contract is in place would be unlawful and subject to a possible fine. A missing or invalid data processing agreement may be subject to administrative fines up to 10 000 000 EUR, or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.