Data processing agreement (controller-processor)
This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
The GDPR will come into force on 25 May 2018. If you have a subsisting data processing agreement that will be replaced by this document, you should specify the effective date of this agreement as a date on or before 25 May 2018.
This agreement may be used to supplement a separated services contract, whether pre-existing or not.
This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.
A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.Ask about this document
Data processing agreement (controller-processor) contents
- Definitions: definitions.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data and purposes of processing bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); informingControllerof illegal instructions (GDPR); international personal data transfers and model clauses; personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR);Processorto provide information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data: prompt for types of personal data.
- Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data: prompt for security measures for personal data.
- Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (MODEL CONTRACTUAL CLAUSES)
- Prompt for model contractual clauses.