Register
Forgotten password?

Data processing agreement (processor-sub-processor)

This agreement can be used to enable the transfer of personal data from data processors to sub-processors in a way that complies - or may comply - with the GDPR or General Data Protection Regulation (Regulation (EU) 2016/679).

This document can sit alongside a services agreement, and can be used to supplement a services agreement that has been previously executed.

The substantive terms are very similar to those in our controller-to-processor data processing agreement. The key difference is that the "standard contractual clauses" are not available as a means of transferring personal data to a sub-processor outside the EEA.

Under Article 28(4) of the GDPR, processors have an obligation to impose upon sub-processors "the same" obligations as those imposed upon the processor in the controller-processor contract. It goes without saying that those obligations may diverge from the specific language of the GDPR. Accordingly, this document will often need to be adapted to fit the specific language of the relevant controller-processor contract(s).

This document does not expressly grant any rights to the relevant data controller(s) in relation to the processing of the personal data. Instead, it anticipates that controller rights would be exercised through the processor.

Ask about this document

Data processing agreement (processor-sub-processor) contents

  1. Definitions: definitions.
  2. Supplemental:
    Agreement
     supplements main contract; definitions in main contract; conflict between 
    Agreement
     and main contract; breach of 
    Agreement
     deemed to be breach of main contract; breach of main contract deemed to be breach of 
    Agreement
    ; termination with main contract; main contract termination.
  3. Term: commencement of term; end of term.
  4. Data protection: compliance with data protection laws; warranty of
    Processor
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Sub-Processor
     (GDPR); purposes of processing of personal data by 
    the Sub-Processor
     (GDPR); duration of personal data processing by
    Sub-Processor
    (GDPR); personal data processed by
    Sub-Processor
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
    Processor
     of illegal instructions (GDPR); personal data processed by
    Sub-Processor
    as required by law (GDPR); confidentiality obligations on
    Sub-Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Sub-Processor
     (GDPR); appointment of sub-processor by
    Sub-Processor
    (GDPR); authorisation for
    Sub-Processor
    to appoint sub-processors (GDPR);
    Sub-Processor
     to assist with exercise of data subject rights (GDPR);
    Sub-Processor
     to assist with compliance (GDPR); obligation to notify 
    Processor
    of personal data breach (GDPR);
    Sub-Processor
     to provide data protection compliance information (GDPR); deletion of personal data by 
    Sub-Processor
     (GDPR);
    Sub-Processor
     to allow audit (GDPR); changes to data protection law.
  5. Limits upon exclusions of liability: caveats to limits of liability.
  6. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  7. Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
  8. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  9. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  10. Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.