Forgotten password?

Data processing agreement (controller-processor)

This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

The GDPR will come into force on 25 May 2018. If you have a subsisting data processing agreement that will be replaced by this document, you should specify the effective date of this agreement as a date on or before 25 May 2018.

This agreement may be used to supplement a separated services contract, whether pre-existing or not.

This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.

A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.

Ask about this document

Data processing agreement (controller-processor) contents

  1. Definitions: definitions.
  2. Supplemental:
     supplements main contract; definitions in main contract; conflict between 
     and main contract; breach of 
     deemed to be breach of main contract; breach of main contract deemed to be breach of 
    ; termination with main contract; main contract termination.
  3. Term: commencement of term; end of term.
  4. Data protection: compliance with data protection laws; warranty of
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Processor
     (GDPR); purposes of processing of personal data by 
    the Processor
     (GDPR); duration of personal data processing by
    (GDPR); personal data processed by
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
     of illegal instructions (GDPR); personal data processed by
    as required by law (GDPR); confidentiality obligations on
     persons processing personal data (GDPR); security of personal data processed by 
     (GDPR); appointment of sub-processor by
    (GDPR); authorisation for
    to appoint sub-processors (GDPR);
     to assist with exercise of data subject rights (GDPR);
     to assist with compliance (GDPR); obligation to notify 
    of personal data breach (GDPR);
     to provide data protection compliance information (GDPR); deletion of personal data by 
     to allow audit (GDPR); changes to data protection law.
  5. Limits upon exclusions of liability: caveats to limits of liability.
  6. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  7. Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
  8. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  9. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  10. Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.


  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.


    Prompt for standard contractual clauses.
Data processing agreement (controller-processor) document editor previewData processing agreement (controller-processor) document editor previewData processing agreement (controller-processor) document editor previewData processing agreement (controller-processor) document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Data processing agreement (controller-processor) document previewData processing agreement (controller-processor) document previewData processing agreement (controller-processor) document previewData processing agreement (controller-processor) document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.