Register
Forgotten password?

Data processing addendum (controller-processor)

This addendum may be used to supplement and amend an existing contract, with the aim of bringing the contract into line with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

The GDPR requires that all contracts between those organisations that control personal data and those organisations that process personal data include certain clauses. This requirement is set out in Article 28 of the GDPR. The required clauses include: (i) a restriction upon the processor acting otherwise than in accordance with the documented instructions of the controller; (ii) restrictions on certain international transfers; (iii) confidentiality obligations for personnel having access to the data; and (iv) a requirement that appropriate security measures be used.

This addendum is designed specifically for the situation where one party is a controller and the other party is a processor with respect to personal data. It should not be used where transfers are controller-to-controller or processor-to-sub-processor.

Ask about this document

Data processing addendum (controller-processor) contents

  1. Definitions: definitions.
  2. This Addendum
     and 
    the Agreement
    :
    Addendum
     varies 
    Agreement
    ; provisions of 
    Agreement
     ceasing to have effect; definitions in 
    Agreement
    ; limitations of liability in contract apply to document.
  3. Data protection: compliance with data protection laws; warranty of
    Controller
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Processor
     (GDPR); purposes of processing of personal data by 
    the Processor
     (GDPR); duration of personal data processing by
    Processor
    (GDPR); personal data processed by
    Processor
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
    Controller
     of illegal instructions (GDPR); personal data processed by
    Processor
    as required by law (GDPR); confidentiality obligations on
    Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Processor
     (GDPR); appointment of sub-processor by
    Processor
    (GDPR); authorisation for
    Processor
    to appoint sub-processors (GDPR);
    Processor
     to assist with exercise of data subject rights (GDPR);
    Processor
     to assist with compliance (GDPR); obligation to notify 
    Controller
    of personal data breach (GDPR);
    Processor
     to provide data protection compliance information (GDPR); deletion of personal data by 
    Processor
     (GDPR);
    Processor
     to allow audit (GDPR); changes to data protection law.
  4. Surviving provisions: surviving provisions upon termination.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

    Prompt for standard contractual clauses.