Data processing addendum (processor-sub-processor)
A pre-existing contract may be rendered compliant with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) - and/or the GDPR as incorporated into UK law - using this data processing addendum.
Under the GDPR, contracts between "processors" of personal data and their "sub-processors" must contain a set of provisions designed to promote privacy and security. For instance, processors must only process personal data at the direction of their controllers, and it follows that sub-processors must only process at the direction of the processors who supply the data.
This addendum should not be used to amend agreements involving the transfer of personal data from a controller to a processor - we have a distinct template for that situation.Ask about this document
Data processing addendum (processor-sub-processor) contents
- Definitions: definitions.
- This Addendumandthe Agreement:AddendumvariesAgreement; provisions ofAgreementceasing to have effect; definitions inAgreement; limitations of liability in contract apply to document.
- Data protection: compliance with data protection laws; warranty of Processor's right to disclose personal data (GDPR); details of personal data processed bythe Sub-Processor(GDPR); purposes of processing of personal data bythe Sub-Processor(GDPR); duration of personal data processing bySub-Processor(GDPR); personal data processed bySub-Processoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingProcessorof illegal instructions (GDPR); personal data processed bySub-Processoras required by law (GDPR); confidentiality obligations onSub-Processorpersons processing personal data (GDPR); security of personal data processed bySub-Processor(GDPR); appointment of sub-processor bySub-Processor(GDPR); authorisation forSub-Processorto appoint sub-processors (GDPR);Sub-Processorto assist with exercise of data subject rights (GDPR);Sub-Processorto assist with compliance (GDPR); obligation to notifyProcessorof personal data breach (GDPR);Sub-Processorto provide data protection compliance information (GDPR); deletion of personal data bySub-Processor(GDPR);Sub-Processorto allow audit (GDPR); changes to data protection law.
- Surviving provisions: surviving provisions upon termination.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data: prompt for types of personal data.
- Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data: prompt for security measures for personal data.
- Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.