Register
Forgotten password?

Data processing addendum (processor-sub-processor)

A pre-existing contract may be rendered compliant with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) - and/or the GDPR as incorporated into UK law - using this data processing addendum.

Under the GDPR, contracts between "processors" of personal data and their "sub-processors" must contain a set of provisions designed to promote privacy and security. For instance, processors must only process personal data at the direction of their controllers, and it follows that sub-processors must only process at the direction of the processors who supply the data.

This addendum should not be used to amend agreements involving the transfer of personal data from a controller to a processor - we have a distinct template for that situation.

Ask about this document

Data processing addendum (processor-sub-processor) contents

  1. Definitions: definitions.
  2. This Addendum
     and 
    the Agreement
    :
    Addendum
     varies 
    Agreement
    ; provisions of 
    Agreement
     ceasing to have effect; definitions in 
    Agreement
    ; limitations of liability in contract apply to document.
  3. Data protection: compliance with data protection laws; warranty of
    Processor
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Sub-Processor
     (GDPR); purposes of processing of personal data by 
    the Sub-Processor
     (GDPR); duration of personal data processing by
    Sub-Processor
    (GDPR); personal data processed by
    Sub-Processor
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
    Processor
     of illegal instructions (GDPR); personal data processed by
    Sub-Processor
    as required by law (GDPR); confidentiality obligations on
    Sub-Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Sub-Processor
     (GDPR); appointment of sub-processor by
    Sub-Processor
    (GDPR); authorisation for
    Sub-Processor
    to appoint sub-processors (GDPR);
    Sub-Processor
     to assist with exercise of data subject rights (GDPR);
    Sub-Processor
     to assist with compliance (GDPR); obligation to notify 
    Processor
    of personal data breach (GDPR);
    Sub-Processor
     to provide data protection compliance information (GDPR); deletion of personal data by 
    Sub-Processor
     (GDPR);
    Sub-Processor
     to allow audit (GDPR); changes to data protection law.
  4. Surviving provisions: surviving provisions upon termination.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

    Prompt for standard contractual clauses.
Data processing addendum (processor-sub-processor) document editor previewData processing addendum (processor-sub-processor) document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Data processing addendum (processor-sub-processor) document previewData processing addendum (processor-sub-processor) document previewData processing addendum (processor-sub-processor) document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.