Register
Forgotten password?

Data processing agreement (basic, controller-processor)

This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

The GDPR will come into force on 25 May 2018. If you have a subsisting data processing agreement that will be replaced by this document, you should specify the effective date of this agreement as a date on or before 25 May 2018.

This agreement may be used to supplement a separated services contract, whether pre-existing or not.

This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.

A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.

Ask about this document

Data processing agreement (basic, controller-processor) contents

  1. Definitions: definitions.
  2. Supplemental:
    Agreement
     supplements main contract; definitions in main contract; conflict between 
    Agreement
     and main contract; termination with main contract; main contract termination.
  3. Term: commencement of term; end of term.
  4. Consideration: consideration benefiting first party.
  5. Data protection: compliance with data protection laws; warranty of
    Controller
    's right to disclose personal data (GDPR); details of personal data and purposes of processing by 
    the Processor
     (GDPR); duration of personal data processing by
    Processor
    (GDPR); personal data processed by
    Processor
    on instructions (GDPR); informing 
    Controller
     of illegal instructions (GDPR); international personal data transfers and model clauses; personal data processed by
    Processor
    as required by law (GDPR); confidentiality obligations on
    Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Processor
     (GDPR); appointment of sub-processor by
    Processor
    (GDPR); authorisation for
    Processor
    to appoint sub-processors (GDPR);
    Processor
     to assist with exercise of data subject rights (GDPR);
    Processor
     to assist with compliance (GDPR);
    Processor
     to provide information (GDPR); deletion of personal data by 
    Processor
     (GDPR);
    Processor
     to allow audit (GDPR); changes to data protection law.
  6. Limits upon exclusions of liability: caveats to limits of liability.
  7. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  8. Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
  9. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  10. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  11. Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.

SCHEDULE 2 (MODEL CONTRACTUAL CLAUSES)

    Prompt for model contractual clauses.
Data processing agreement (basic, controller-processor) document editor previewData processing agreement (basic, controller-processor) document editor previewData processing agreement (basic, controller-processor) document editor previewData processing agreement (basic, controller-processor) document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Data processing agreement (basic, controller-processor) document previewData processing agreement (basic, controller-processor) document previewData processing agreement (basic, controller-processor) document previewData processing agreement (basic, controller-processor) document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.