Data processing agreements
Data processing agreements between controllers of personal data and their processors, and between processors and sub-processors, have long been a requirement of EU and UK data protection law. With the coming of the General Data Protection Regulation (GDPR) they have become much more common. GDPR-friendly data processing agreements tend to be longer and more complex than pre-GDPR agreements. These template data processing agreements are designed to help you produce a compliant document with the minimum of fuss. They track the specific requirements of the GDPR closely, supplementing those requirements in a few important areas.
Free data processing agreement
Get | |
Version | 1.0 |
---|---|
First published | 24 Jan 2023 |
Last updated | 24 Jan 2023 |
Word count | 5,540 |
Template pages | 9 |
Data processing agreement (controller-processor)
Buy | |
Version | 1.8 |
---|---|
First published | 25 Aug 2017 |
Last updated | 23 Jan 2023 |
Word count | 5,315 |
Template pages | 9 |
Data processing agreement (processor-sub-processor)
Buy | |
Version | 1.4 |
---|---|
First published | 28 Feb 2018 |
Last updated | 23 Jan 2023 |
Word count | 5,379 |
Template pages | 9 |
Compare contents
Free data processing agreement contents
- Definitions: definitions.
- Credit: docular credit; free documents licensing warning.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; breach ofAgreementdeemed to be breach of main contract; breach of main contract deemed to be breach ofAgreement; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data processed bythe Processor(GDPR); purposes of processing of personal data bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingControllerof illegal instructions (GDPR); personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR); obligation to notifyControllerof personal data breach (GDPR);Processorto provide data protection compliance information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data : prompt for types of personal data. - Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data : prompt for security measures for personal data. - Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.
Data processing agreement (controller-processor) contents
- Definitions: definitions.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; breach ofAgreementdeemed to be breach of main contract; breach of main contract deemed to be breach ofAgreement; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data processed bythe Processor(GDPR); purposes of processing of personal data bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingControllerof illegal instructions (GDPR); personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR); obligation to notifyControllerof personal data breach (GDPR);Processorto provide data protection compliance information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data : prompt for types of personal data. - Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data : prompt for security measures for personal data. - Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.