| Author: | Alasdair Taylor |
| Updated: | 23 January 2023 |
| Length: | 10 pages |
| Notes: | 11 pages |
| Format: | MS Word (.DOCX) |
This data processing agreement will help data controllers to transfer personal data to processors and will help processors to make onward transfers of personal data to sub-processors, in each case in a General Data Protection Regulation (GDPR)-compliant manner.
The data processing agreement may be used as a stand-alone document, but more commonly it will be used to supplement an existing contract under which data, including personal data, is processed.
The approach we have taken in preparing this data processing agreement is to closely shadow the requirements of the GDPR (in both its EU and UK forms). Clauses included in the agreement cover, for example, obligations on the processor to act only on the instructions of the data controller in relation to the processing of the data and to delete the personal data after the end of the contract.
The "variables" which may be associated with a data processing agreement, such as the identification of data subject categories, are set out in a schedule to the agreement. Another optional schedule may be used to incorporate the EU standard contractual clauses and/or UK international data transfer agreement/addendum for international transfers into the agreement.
Before using this template, you will need to clearly identify the roles of the parties within the scheme defined by the GDPRs. Is the party a controller, a processor or a sub-processor? To illustrate the different categories of actor here: imagine a social network that buys in hosting from a hosting services reseller. A social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.
