Skip to content
Biscotti CMP
FeaturesPricing๐Ÿ” Cookie Checkโ™ฟ Accessibility๐Ÿ“ฆ DownloadsDocumentationBlog
Login
Homeโ€บBlog

The Ultimate Guide to AVVs: Why Every Data Processor Needs One

July 7, 2026 ยท 15 min read

The Ultimate Guide to AVVs: Why Every Data Processor Needs One

Quick Answer: An AVV (Auftragsverarbeitungsvertrag) is a legally mandated contract under GDPR Article 28 between a data controller and a data processor. Any organization that processes personal data on behalf of another party must have one in place. Operating without an AVV exposes both parties to fines of up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher.


Key Takeaways

  • An AVV is the German term for a Data Processing Agreement (DPA), required under GDPR Article 28 whenever a processor handles personal data for a controller.
  • The agreement must specify the subject matter, purpose, duration, data types, technical and organizational measures (TOMs), and sub-processor rules.
  • Failure to have a valid AVV in place can result in regulatory fines regardless of whether a data breach has occurred.
  • Small businesses are not exempt: cloud hosting, payroll software, and email marketing tools all typically trigger the AVV requirement.
  • An AVV is a contract between two parties, not a privacy notice, and it does not itself implement security measures like encryption.
  • AVVs should be reviewed whenever sub-processors change, data transfers to third countries occur, or processing activities are modified.
  • In the DACH region (Germany, Austria, Switzerland), AVVs are standard practice with SaaS vendors, hosting providers, and ERP systems.
  • Templates are available from compliance organizations and vendors, but customization to reflect actual processing activities is essential.

What Does AVV Stand For in Data Processing?

An AVV stands for Auftragsverarbeitungsvertrag, a German compound word that translates directly to "data processing agreement" in English. It is the contractual instrument mandated by Article 28 of the EU General Data Protection Regulation (GDPR) to govern the relationship between a data controller and a data processor.

The term is specific to German-speaking jurisdictions (Germany, Austria, and Switzerland), but the underlying legal concept applies universally across the EU and EEA. In English-language contexts, the same document is called a Data Processing Agreement (DPA). Organizations operating internationally should ensure their AVVs are available in the relevant languages to facilitate understanding and compliance [5].

The AVV is not a privacy policy or a cookie consent banner. It is a binding bilateral contract that defines how a processor may handle personal data, under what conditions, and with what safeguards.


Why Do Data Processors Need an AVV?

An AVV is obligatory whenever a data controller engages a processor to handle personal data on its behalf. This is not optional guidance; it is a hard legal requirement under GDPR Article 28 [1].

Common scenarios that trigger the AVV requirement include:

  • Cloud hosting and infrastructure (e.g., servers storing customer databases)
  • Payroll processing handled by a third-party HR provider
  • Email marketing platforms that store subscriber lists
  • SaaS ERP vendors accessing business and employee data
  • Analytics and tracking tools processing visitor behavior data

Without an AVV, neither party has a documented legal basis for the processing relationship. Supervisory authorities treat the absence of an AVV as a standalone compliance violation, separate from any data breach investigation [3].


Is an AVV the Same as a DPA?

Yes, an AVV and a DPA refer to the same legal document. The AVV is the German-language designation; DPA is the English equivalent used in most other EU member states and in international compliance contexts [5].

Both documents fulfill the requirements of GDPR Article 28 and must contain the same mandatory elements. If a German company signs a DPA with a US-based SaaS vendor, that DPA functions as the AVV for GDPR compliance purposes, provided it meets all substantive requirements.

Key distinction to remember: The label on the document matters less than its content. A document titled "Data Processing Addendum," "Processing Agreement," or "AVV" is legally equivalent as long as it covers all required elements.


Who Needs an AVV for GDPR Compliance?

Any organization that is a data controller and uses a third-party service that processes personal data on its behalf needs an AVV. This applies to businesses of all sizes across all industries [1].

Controllers who typically need AVVs:

Scenario Controller Processor
Company uses cloud CRM Business CRM vendor
Website uses analytics Website owner Analytics provider
HR outsources payroll Employer Payroll bureau
Online shop uses email tool Retailer Email platform
Agency manages client ads Agency Ad tech platform

Who is not a processor: A party that determines the purposes and means of processing independently is a controller in its own right, not a processor. Joint controllers require a different type of agreement under Article 26 GDPR.

Small businesses frequently overlook this requirement, assuming it applies only to large enterprises. That assumption is incorrect. Any website owner using a third-party hosting provider, newsletter service, or booking system likely needs at least one AVV in place [5].


What Should Be Included in an AVV?

A compliant AVV must contain specific mandatory elements. Missing even one can render the agreement insufficient under GDPR scrutiny [2].

Mandatory components:

  • Subject matter and duration of the processing
  • Nature and purpose of the processing
  • Type of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Technical and organizational measures (TOMs) implemented by the processor
  • Rules governing the engagement of sub-processors
  • Procedures for data subject rights requests
  • Data breach notification obligations
  • Return or deletion of data upon contract termination
  • Audit rights for the controller

The TOMs section is particularly important. While the AVV itself does not implement security measures, it must document what measures the processor has in place, such as encryption standards, access controls, and pseudonymization practices [1].


What Happens If You Don't Have an AVV?

Operating without a valid AVV exposes both the controller and the processor to significant regulatory penalties. Under GDPR Article 83(4), fines for violations of Article 28 can reach โ‚ฌ10 million or 2% of global annual turnover, and under Article 83(5) for more serious infringements, up to โ‚ฌ20 million or 4% of global annual turnover, whichever is higher [3].

Critically, these fines can be imposed regardless of whether a data breach has occurred. A supervisory authority conducting a routine audit or responding to a complaint can identify the absence of an AVV and issue a fine on that basis alone.

Additional consequences include:

  • Reputational damage and loss of client trust
  • Contractual liability between controller and processor
  • Potential suspension of processing activities pending remediation

AVV vs. Data Processing Agreement: Key Differences

The AVV and DPA are substantively the same document under different names. However, there are practical differences worth noting for international organizations.

Dimension AVV DPA
Language German English (or local)
Jurisdiction focus DACH region EU/EEA broadly
Common use context German-language contracts International SaaS agreements
Legal basis GDPR Article 28 GDPR Article 28
Content requirements Identical Identical

The DACH region (Germany, Austria, Switzerland) has particularly strong enforcement culture around AVVs, making them standard practice in vendor contracts with hosting providers, SaaS ERP vendors, and other service partners [1].


How Much Does an AVV Cost?

The cost of an AVV varies depending on how it is created and reviewed.

  • Template-based AVV: Many vendors provide their own AVV as part of their service terms, typically at no additional charge. Organizations like NexDeck offer detailed AVV templates including sub-processor lists [4].
  • Legal counsel review: Having a data protection attorney draft or review a custom AVV typically costs between โ‚ฌ300 and โ‚ฌ2,000 depending on complexity and jurisdiction.
  • DPO-assisted drafting: Organizations with an in-house or external Data Protection Officer (DPO) can often use that resource to draft AVVs at no marginal cost beyond the DPO retainer.

For small businesses, the most practical approach is to start with a reputable template and have it reviewed by a qualified professional before signing.


How Do I Create an AVV Template?

Creating an AVV starts with identifying all processing relationships where a third party handles personal data on your behalf. From there, the process follows these steps:

  1. Inventory your processors: List every vendor, tool, or service that accesses personal data you control.
  2. Obtain or draft the AVV: Many processors (especially SaaS vendors) provide their own standard AVV. Review it against the mandatory elements listed above.
  3. Customize the TOMs section: Ensure the technical and organizational measures reflect the processor's actual security practices.
  4. List sub-processors: Include an annex identifying any sub-processors the processor uses, along with their roles and locations.
  5. Define data transfer mechanisms: If data is transferred outside the EU/EEA, specify the legal transfer mechanism (e.g., Standard Contractual Clauses).
  6. Sign and retain: Both parties must sign the AVV. Retain a copy with your data processing records.

Templates from compliance-focused organizations provide a solid structural foundation, but every AVV should be tailored to the specific processing activity it governs [2].


AVV Requirements for Small Businesses

Small businesses are not exempt from the AVV requirement. Any organization subject to GDPR that uses a third-party processor must have an AVV in place, regardless of company size or employee count [1].

For small businesses, the practical burden is lower than it might appear:

  • Most major SaaS vendors (email platforms, booking systems, analytics tools) already provide a standard AVV or DPA as part of their terms of service. Accepting these terms typically constitutes a valid agreement.
  • The key task is ensuring you have actually reviewed and accepted those terms, rather than assuming they exist.
  • Maintain a simple register of your processors and the corresponding AVVs.

Common mistake: Small business owners often assume that because a vendor is large and reputable, the legal paperwork is automatically handled. Acceptance of an AVV must be an active, documented step.


AVV Audit Trail Requirements

An AVV must include provisions granting the controller the right to audit the processor's compliance. This audit right is a mandatory element under GDPR Article 28(3)(h) [2].

In practice, audit trail requirements mean:

  • The processor must maintain records of processing activities under Article 30(2) GDPR.
  • The controller has the right to conduct audits or commission third-party auditors to verify compliance.
  • Many processors satisfy this requirement through third-party certifications such as ISO 27001 or SOC 2, which can substitute for on-site audits in many cases.

The AVV is directly relevant to ISO 27001 Annex A controls A.5.19 through A.5.22, which govern supplier relationships and information security in supply chains [2]. Organizations with a formal Information Security Management System (ISMS) should ensure their AVVs are integrated into their supplier management processes.


AVV for International Data Transfers

When a processor is located outside the EU/EEA, the AVV must address the legal mechanism for transferring personal data to that third country. Standard Contractual Clauses (SCCs) are the most commonly used mechanism and are typically incorporated as an annex to the AVV [2].

Key considerations for international AVVs:

  • Identify whether the processor's country has an EU adequacy decision.
  • If not, incorporate the appropriate SCCs (controller-to-processor or controller-to-controller, depending on the relationship).
  • Conduct a Transfer Impact Assessment (TIA) where required.
  • Ensure the AVV is available in the languages of both contracting parties [5].

How Often Should You Update Your AVV?

An AVV should be reviewed and updated whenever material changes occur in the processing relationship. There is no fixed statutory review interval, but best practice points to at least an annual review [2].

Triggers for an immediate AVV update:

  • The processor engages a new sub-processor or removes an existing one
  • Processing activities change in nature, purpose, or scope
  • Data is transferred to a new third country
  • The processor's TOMs are significantly updated
  • Applicable law or regulatory guidance changes

Proactive review of AVVs is a core compliance discipline. Outdated agreements that no longer reflect actual processing activities create the same regulatory exposure as having no AVV at all.


Common Mistakes When Setting Up an AVV

Even organizations that understand the AVV requirement frequently make errors in implementation.

Mistake 1: Treating the vendor's boilerplate as automatically sufficient. A vendor-provided AVV template may not cover your specific processing activities. Always review it against the mandatory elements.

Mistake 2: Omitting or vaguely describing TOMs. Supervisory authorities scrutinize the TOMs section closely. Vague language like "appropriate security measures" without specifics is insufficient.

Mistake 3: Forgetting sub-processors. The AVV must list sub-processors. Failing to update this list when a processor changes its sub-processors is a common compliance gap [2].

Mistake 4: Not retaining signed copies. An AVV that cannot be produced during an audit provides no legal protection. Maintain organized records.

Mistake 5: Confusing the AVV with a privacy policy. These are entirely different documents serving different purposes. A privacy policy informs data subjects; an AVV governs the controller-processor relationship [1].


Conclusion

The Ultimate Guide to AVVs: Why Every Data Processor Needs One ultimately comes down to a straightforward compliance reality: if personal data changes hands between a controller and a processor, a valid AVV must exist before that processing begins. There are no size exemptions, no industry carve-outs, and no grace periods for organizations already operating under GDPR.

Actionable next steps for 2026:

  1. Audit every third-party vendor that accesses personal data you control and confirm an AVV is in place for each.
  2. Review existing AVVs against the mandatory elements checklist, paying particular attention to TOMs and sub-processor lists.
  3. Establish a calendar reminder for annual AVV reviews and trigger-based updates when processing activities change.
  4. For organizations managing consent and cookie compliance alongside their AVVs, consider pairing your data processing documentation with a compliant Consent Management Platform such as Biscotti CMP to maintain a complete and defensible compliance posture.
  5. Consult a qualified data protection professional for any AVV involving complex processing activities or international data transfers.

The cost of getting AVVs right is minimal. The cost of getting them wrong is not.


FAQ

What is an AVV in simple terms? An AVV is a written contract between a company that owns personal data (the controller) and a company that processes that data on its behalf (the processor). It specifies what data is processed, why, how it is protected, and what both parties are obligated to do.

Is an AVV required for every vendor relationship? Only for vendors that process personal data on your behalf. A vendor who merely provides a tool you use to process data yourself (with no access to the data) is generally not a processor and does not require an AVV.

Can a verbal agreement substitute for an AVV? No. GDPR Article 28 explicitly requires the processing agreement to be in writing, including in electronic form.

Does an AVV protect against GDPR fines? Having a valid AVV reduces regulatory risk significantly, but it does not provide absolute immunity. Fines can still be issued for other violations. An AVV demonstrates compliance with Article 28 specifically.

What is the difference between a sub-processor and a processor? A processor handles data directly for the controller. A sub-processor is engaged by the processor to assist with that processing. The controller must be informed of sub-processors, and the processor must bind sub-processors to equivalent obligations.

How long must an AVV be retained? There is no explicit retention period specified in GDPR for AVVs, but they should be retained for the duration of the processing relationship and for a reasonable period afterward, typically aligned with the statute of limitations for regulatory action in the relevant jurisdiction.

Does a DPA signed with a US company count as an AVV? Yes, provided it contains all elements required by GDPR Article 28 and incorporates appropriate transfer mechanisms such as Standard Contractual Clauses.

Can the processor use personal data for its own purposes? No. A processor may only process personal data on the documented instructions of the controller. Processing for the processor's own purposes would reclassify that party as a controller, with separate legal obligations.

What is a TOM in the context of an AVV? TOM stands for Technical and Organizational Measure. These are the security practices a processor implements to protect personal data, such as encryption, access controls, and pseudonymization. The AVV must document these measures.

Do AVVs need to be notarized? No. GDPR does not require notarization. A signed written agreement (including electronic signatures) is sufficient.


References

[1] Data Processing Agreement - https://erp-software.org/en/glossary/data-processing-agreement/?utm_source=openai

[2] Auftragsverarbeitungsvertrag - https://cenedril.net/wiki/en/glossar/auftragsverarbeitungsvertrag/?utm_source=openai

[3] Auftragsverarbeitung Art 28 Dsgvo Avv - https://www.ing-ism.de/magazin/auftragsverarbeitung-art-28-dsgvo-avv/?utm_source=openai

[4] nexdeck.app - https://www.nexdeck.app/avv?utm_source=openai

[5] booking-system.info - https://www.booking-system.info/bookingsystem/avv.html?utm_source=openai


โ† Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

๐Ÿข About UsFeaturesPricingDocumentation๐Ÿ” Cookie Check๐Ÿ“ฆ Downloads๐Ÿ“š Privacy & Consent Knowledge Base๐Ÿ“ Blog๐Ÿ“– Cookie Consent & Privacy Glossary๐ŸŒ Jurisdictionsโ™ฟ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
ยฉ 2026 Biscotti โ€“ A service of Campcruisers GmbH๐Ÿช Change cookie settings