Data processing agreement (controller-processor)
This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and/or the GDPR as transposed into UK law.
This agreement may be used to supplement a separate services contract, whether pre-existing or not.
This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.
A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. There are also differences between the original EU GDPR and the UK version. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.Ask about this document
Data processing agreement (controller-processor) contents
- Definitions: definitions.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; breach ofAgreementdeemed to be breach of main contract; breach of main contract deemed to be breach ofAgreement; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data processed bythe Processor(GDPR); purposes of processing of personal data bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingControllerof illegal instructions (GDPR); personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR); obligation to notifyControllerof personal data breach (GDPR);Processorto provide data protection compliance information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data: prompt for types of personal data.
- Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data: prompt for security measures for personal data.
- Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.