Data processing addendum (controller-processor)
This addendum may be used to supplement and amend an existing contract, with the aim of bringing the contract into line with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and/or the UK's version of the GDPR.
The GDPR requires that all contracts between those organisations that control personal data and those organisations that process personal data include certain clauses. This requirement is set out in Article 28 of the GDPR. The required clauses include: (i) a restriction upon the processor acting otherwise than in accordance with the documented instructions of the controller; (ii) restrictions on certain international transfers; (iii) confidentiality obligations for personnel having access to the data; and (iv) a requirement that appropriate security measures be used.
This addendum is designed specifically for the situation where one party is a controller and the other party is a processor with respect to personal data. It should not be used where transfers are controller-to-controller or processor-to-sub-processor.Ask about this document
Data processing addendum (controller-processor) contents
- Definitions: definitions.
- This Addendumandthe Agreement:AddendumvariesAgreement; provisions ofAgreementceasing to have effect; definitions inAgreement; limitations of liability in contract apply to document.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data processed bythe Processor(GDPR); purposes of processing of personal data bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingControllerof illegal instructions (GDPR); personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR); obligation to notifyControllerof personal data breach (GDPR);Processorto provide data protection compliance information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Surviving provisions: surviving provisions upon termination.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data: prompt for types of personal data.
- Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data: prompt for security measures for personal data.
- Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.