(GDPR-Compliant)
This Data Processing Agreement (the "DPA" or "Agreement") is entered into as of the date last signed below (the "Effective Date") between:
Controller: _____________________________________________ (the "Controller") — the party that determines the purposes and means of the processing of Personal Data; and
Processor: _____________________________________________ (the "Processor") — the party that processes Personal Data on behalf of the Controller.
This DPA forms part of, and is incorporated into, the main commercial agreement between the Parties dated _____________ (the "Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement in relation to data protection matters, this DPA shall prevail. Capitalised terms not defined herein have the meanings given to them in the Principal Agreement.
1. Definitions
For the purposes of this DPA:
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR, and any national implementing legislation, as amended or replaced from time to time.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) GDPR.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" and "Process" have the meanings given in Article 4(2) GDPR.
"Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation, as defined in Article 9 GDPR.
"Sub-processor" means any processor engaged by the Processor to carry out processing activities on behalf of the Controller in connection with the Principal Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission pursuant to Article 46(2) GDPR, as currently in force.
2. Subject Matter, Nature, and Purpose of Processing
The Processor shall process Personal Data on behalf of the Controller solely for the purposes described in Annex 1 to this DPA and in accordance with the Controller's documented instructions, as set out in this DPA and the Principal Agreement.
The Processor shall not process Personal Data for any purpose other than as instructed by the Controller in writing, except where required to do so by applicable law, in which case the Processor shall (to the extent permitted by law) inform the Controller before processing.
The nature, purpose, types of Personal Data processed, categories of Data Subjects, and retention periods are set out in Annex 1.
3. Obligations of the Processor
The Processor shall:
Process Personal Data only on documented instructions from the Controller, including with regard to international transfers of Personal Data, unless required to do so by applicable law;
Ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the measures referred to in Article 32 GDPR, as further described in Annex 2;
Respect the conditions for engaging Sub-processors as set out in clause 5 of this DPA;
Take all measures required pursuant to Article 28(3)(f) GDPR regarding assistance to the Controller in ensuring compliance with the Data Subject rights set out in Articles 12 to 22 GDPR;
Assist the Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessment, and prior consultation), taking into account the nature of processing and the information available to the Processor;
At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data;
Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller;
Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Applicable Data Protection Law.
4. Controller's Obligations
The Controller shall ensure that it has a lawful basis for the processing of Personal Data described in this DPA, including obtaining any necessary consents from Data Subjects, and shall provide the Processor with documented instructions that comply with Applicable Data Protection Law.
The Controller shall inform Data Subjects about the processing of their Personal Data by the Processor to the extent required by Applicable Data Protection Law.
The Controller shall promptly notify the Processor of any changes to its instructions that may affect the Processor's obligations under this DPA.
5. Sub-processors
The Processor shall not engage any Sub-processor without the prior specific or general written authorisation of the Controller. Where the Controller grants general written authorisation, the Processor shall inform the Controller of any intended addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes within fourteen (14) days of notification.
Where the Processor engages a Sub-processor, it shall impose on that Sub-processor the same data protection obligations as set out in this DPA, by way of a written contract. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
The Processor's current list of approved Sub-processors is set out in Annex 3, which may be updated by the Processor from time to time in accordance with clause 5.1.
6. International Data Transfers
The Processor shall not transfer Personal Data to a country or territory outside the European Economic Area (or the UK, as applicable) unless: (a) the transfer is to a country that has been granted an adequacy decision by the European Commission (or UK competent authority, as applicable); (b) the transfer is subject to appropriate safeguards, including Standard Contractual Clauses; or (c) a derogation under Article 49 GDPR applies.
Where Personal Data is transferred on the basis of Standard Contractual Clauses, the Parties agree to execute and be bound by the applicable SCCs as a separate document, incorporated by reference into this DPA.
7. Personal Data Breaches
The Processor shall notify the Controller without undue delay and in any event within forty-eight (48) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller.
Such notification shall include, to the extent available at the time: (a) a description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the Processor's data protection contact point; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach.
Where it is not possible to provide all information simultaneously, information may be provided in phases without undue further delay.
The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken, and shall make such documentation available to the Controller on request.
8. Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). The Processor shall promptly forward to the Controller any Data Subject request received directly by the Processor without responding to such request directly, unless authorised to do so by the Controller.
9. Deletion and Return of Data
Upon termination or expiry of the Principal Agreement, or upon the Controller's written request, the Processor shall, at the Controller's election: (a) securely delete or destroy all Personal Data processed on behalf of the Controller; or (b) return all such Personal Data to the Controller in a commonly used machine-readable format. The Processor shall certify in writing that it has complied with this obligation within thirty (30) days of the termination date or request, and shall ensure that any Sub-processors do likewise. The Processor may retain a single archival copy of Personal Data solely to the extent required by applicable law, subject to continuing confidentiality and security obligations.
10. Audit Rights
The Controller shall have the right, on reasonable prior written notice of not less than fourteen (14) days (except in the case of an urgent security concern), to audit the Processor's compliance with this DPA, either directly or through a mandated third-party auditor. The Processor shall cooperate fully with any such audit and shall make available all relevant information, systems, and personnel. Audits shall be conducted at the Controller's expense unless the audit reveals a material breach of this DPA by the Processor.
11. Liability and Indemnity
Each Party shall be liable to the other for actual damages caused by processing that does not comply with Applicable Data Protection Law or this DPA.
Where both Parties are responsible for damage caused by processing, each Party's liability shall be limited to the part of the damage for which that Party is responsible, in accordance with Article 82 GDPR.
Each Party shall indemnify and hold harmless the other from any fines, penalties, regulatory sanctions, or third-party claims arising from its own breach of Applicable Data Protection Law or this DPA.
12. Term and Termination
This DPA shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller under the Principal Agreement. The obligations of the Processor under this DPA shall continue after termination to the extent necessary to ensure the secure deletion or return of Personal Data.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of _____________________________________________, consistent with Applicable Data Protection Law. Any dispute shall be resolved in accordance with the dispute resolution clause of the Principal Agreement.
EXECUTION
IN WITNESS WHEREOF, the Parties have executed this DPA as of the date last signed below.
For and on behalf of the Controller:
Authorised Signatory: _____________________________________________
Full Name: _____________________________________________
Title: _____________________________________________
Date: _____________________________________________
For and on behalf of the Processor:
Authorised Signatory: _____________________________________________
Full Name: _____________________________________________
Title: _____________________________________________
Date: _____________________________________________
Annex 1 — Subject Matter, Nature, Purpose, Data Types, Data Subject Categories, and Retention Periods
Annex 2 — Technical and Organisational Security Measures
Annex 3 — Approved Sub-processors
Doc 11 — Data Processing Agreement (GDPR-Compliant) — Neutral Template