Data processing agreement (processor-sub-processor)
This agreement can be used to enable the transfer of personal data from data processors to sub-processors in a way that complies - or may comply - with the GDPR or General Data Protection Regulation (Regulation (EU) 2016/679).
This document can sit alongside a services agreement, and can be used to supplement a services agreement that has been previously executed.
The substantive terms are very similar to those in our controller-to-processor data processing agreement. The key difference is that the "standard contractual clauses" are not available as a means of transferring personal data to a sub-processor outside the EEA.
Under Article 28(4) of the GDPR, processors have an obligation to impose upon sub-processors "the same" obligations as those imposed upon the processor in the controller-processor contract. It goes without saying that those obligations may diverge from the specific language of the GDPR. Accordingly, this document will often need to be adapted to fit the specific language of the relevant controller-processor contract(s).
This document does not expressly grant any rights to the relevant data controller(s) in relation to the processing of the personal data. Instead, it anticipates that controller rights would be exercised through the processor.Ask about this document
Data processing agreement (processor-sub-processor) contents
- Definitions: definitions.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; breach ofAgreementdeemed to be breach of main contract; breach of main contract deemed to be breach ofAgreement; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Processor's right to disclose personal data (GDPR); details of personal data processed bythe Sub-Processor(GDPR); purposes of processing of personal data bythe Sub-Processor(GDPR); duration of personal data processing bySub-Processor(GDPR); personal data processed bySub-Processoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingProcessorof illegal instructions (GDPR); personal data processed bySub-Processoras required by law (GDPR); confidentiality obligations onSub-Processorpersons processing personal data (GDPR); security of personal data processed bySub-Processor(GDPR); appointment of sub-processor bySub-Processor(GDPR); authorisation forSub-Processorto appoint sub-processors (GDPR);Sub-Processorto assist with exercise of data subject rights (GDPR);Sub-Processorto assist with compliance (GDPR); obligation to notifyProcessorof personal data breach (GDPR);Sub-Processorto provide data protection compliance information (GDPR); deletion of personal data bySub-Processor(GDPR);Sub-Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data: prompt for types of personal data.
- Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data: prompt for security measures for personal data.
- Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.