Register
Forgotten password?

A family of Data processing agreementsdocumentsData processing agreements

Data processing agreements between controllers of personal data and their processors, and between processors and sub-processors, have long been a requirement of EU and UK data protection law. With the coming of the General Data Protection Regulation (GDPR) they have become much more common. GDPR-friendly data processing agreements tend to be longer and more complex than pre-GDPR agreements. These template data processing agreements are designed to help you produce a compliant document with the minimum of fuss. They track the specific requirements of the GDPR closely, supplementing those requirements in a few important areas.

Free data processing agreement

FREE

Get
Version 1.0
First published 24 Jan 2023
Last updated 24 Jan 2023
Word count 5,540
Template pages 9

Data processing agreement (controller-processor)

FROM

£40.00

OR

40

CREDITS
Buy
Version 1.8
First published 25 Aug 2017
Last updated 23 Jan 2023
Word count 5,315
Template pages 9

Data processing agreement (processor-sub-processor)

FROM

£40.00

OR

40

CREDITS
Buy
Version 1.4
First published 28 Feb 2018
Last updated 23 Jan 2023
Word count 5,379
Template pages 9

Compare contents

Free data processing agreement contents

  1. Definitions: definitions.
  2. Credit: docular credit; free documents licensing warning.
  3. Supplemental:
    Agreement
     supplements main contract; definitions in main contract; conflict between 
    Agreement
     and main contract; breach of 
    Agreement
     deemed to be breach of main contract; breach of main contract deemed to be breach of 
    Agreement
    ; termination with main contract; main contract termination.
  4. Term: commencement of term; end of term.
  5. Data protection: compliance with data protection laws; warranty of
    Controller
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Processor
     (GDPR); purposes of processing of personal data by 
    the Processor
     (GDPR); duration of personal data processing by
    Processor
    (GDPR); personal data processed by
    Processor
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
    Controller
     of illegal instructions (GDPR); personal data processed by
    Processor
    as required by law (GDPR); confidentiality obligations on
    Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Processor
     (GDPR); appointment of sub-processor by
    Processor
    (GDPR); authorisation for
    Processor
    to appoint sub-processors (GDPR);
    Processor
     to assist with exercise of data subject rights (GDPR);
    Processor
     to assist with compliance (GDPR); obligation to notify 
    Controller
    of personal data breach (GDPR);
    Processor
     to provide data protection compliance information (GDPR); deletion of personal data by 
    Processor
     (GDPR);
    Processor
     to allow audit (GDPR); changes to data protection law.
  6. Limits upon exclusions of liability: caveats to limits of liability.
  7. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  8. Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
  9. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  10. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  11. Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

    Prompt for standard contractual clauses.

Data processing agreement (controller-processor) contents

  1. Definitions: definitions.
  2. Supplemental:
    Agreement
     supplements main contract; definitions in main contract; conflict between 
    Agreement
     and main contract; breach of 
    Agreement
     deemed to be breach of main contract; breach of main contract deemed to be breach of 
    Agreement
    ; termination with main contract; main contract termination.
  3. Term: commencement of term; end of term.
  4. Data protection: compliance with data protection laws; warranty of
    Controller
    's right to disclose personal data (GDPR); details of personal data processed by 
    the Processor
     (GDPR); purposes of processing of personal data by 
    the Processor
     (GDPR); duration of personal data processing by
    Processor
    (GDPR); personal data processed by
    Processor
    on instructions (GDPR); authorised international transfers of personal data (GDPR); informing 
    Controller
     of illegal instructions (GDPR); personal data processed by
    Processor
    as required by law (GDPR); confidentiality obligations on
    Processor
     persons processing personal data (GDPR); security of personal data processed by 
    Processor
     (GDPR); appointment of sub-processor by
    Processor
    (GDPR); authorisation for
    Processor
    to appoint sub-processors (GDPR);
    Processor
     to assist with exercise of data subject rights (GDPR);
    Processor
     to assist with compliance (GDPR); obligation to notify 
    Controller
    of personal data breach (GDPR);
    Processor
     to provide data protection compliance information (GDPR); deletion of personal data by 
    Processor
     (GDPR);
    Processor
     to allow audit (GDPR); changes to data protection law.
  5. Limits upon exclusions of liability: caveats to limits of liability.
  6. Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
  7. Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
  8. Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
  9. General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
  10. Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.

SCHEDULE 1 (DATA PROCESSING INFORMATION)

  1. Categories of data subject: prompt for categories of data subject.
  2. Types of Personal Data: prompt for types of personal data.
  3. Purposes of processing: prompt for personal data processing purposes.
  4. Security measures for Personal Data: prompt for security measures for personal data.
  5. Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

    Prompt for standard contractual clauses.