Data Processing Agreement Template
This Data Processing Agreement (hereinafter referred to as “Agreement” or “DPA”) by and between [Sender.Company], a [Sender.State][type of legal entity], having its principal place of business at [Sender.StreetAddress] (the “Company” or “Data Controller”), and [Client.Company], a [Client.State][type of legal entity], having its principal place of business at [Client.StreetAddress] (the “Vendor” or “Data Processor” or “Processor”) who agree to be bound by the terms of this Agreement.
This Data Processing Agreement will be supplemental to the Master Service Agreement (or Terms and Conditions) (MSA) between the Parties, and this Agreement will follow the terms of that MSA.
The Company acts as the Data Controller and the Company wishes to subcontract certain Services, which may require the processing of personal data, to the Data Processor. The Parties seek to implement a data processing agreement in compliance with the requirements under the General Data Protection Regulation, and any other applicable Data Protection regulations. The Parties which to operate according to the following terms:
1. Data Processor Responsibilities
1.1 Maintain ongoing compliance with all applicable Data Protection Laws in the processing of personal data; and
1.2 Agree not to process data other than that which is covered by the Company’s documented instructions.
1.3 Take reasonable measures to ensure that any employee, agent or contractor of any Contracted Processor who may have access to Personal Data, complies with the applicable Data Security laws in the same and equal manner in which the Data Processor complies with such laws.
2. Security of Data Processing
2.1 Data Processor shall implement the appropriate technical and organizational measures to ensure a level of security appropriate to mitigate security risks.
2.2 Data Processor shall take account of particular risks associated with a Personal Data breach and establish a process by which to address and remedy the breach.
3.1 Data Processor shall not appoint, or disclose any Company Personal Data to, any Subprocessor unless explicitly authorized by the Company.
4. Data Subject Rights
4.1 Data Subjects are those individuals who share their personal information with Company, which thereby shares such information with the Data Processor
4.2 Data Processor shall assist Company in the implementation of appropriate technical and organizational measures to respond to requests by Data Subjects under applicable Data Protection Laws.
4.3 Data Processor shall promptly notify Company of any requests from Data Subjects with respect to Personal Data.
4.4 Data Processor shall ensure that it does not respond to a Data Subject request unless explicitly authorized by the Company or as required by applicable Data Protection Laws.
5. Personal Data Breach
5.1 Data Processor shall notify Company without any undue delay if Processor becomes aware of a Personal Data Breach that affects Company Personal Data, and provide Company with sufficient information to allow Company to fulfill its reporting obligations and inform the affected Data Subjects of the breach.
5.2 Data Processor shall cooperate with Company and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
6. Deletion or Return of Company Personal Data
6.1 Upon the cessation of its services to Company, Data Processor shall delete all copies of Company Personal Data within 10 business days of cessation of Services.
6.2 Data Processor shall provide written certification to the Company that it has fully complied with this Section.
7. Audit Rights
7.1 Subject to this Section. Data Processor shall make available upon Company request, all information necessary to demonstrate Data Processor’s compliance with this Agreement, and shall allow for and cooperate with audits, including inspections by Company or an auditor authorized by Company.
8. Data Transfer
8.1 Data Processor may not transfer or authorize transfer of data from the European Union (EU) and/or the European Economic Area (EEA) to countries outside of the EU without the prior written consent of the Company If Personal Data processed under this Agreement is transferred from a country within the EU or EEA to a country outside of the EU or EEA the Parties shall ensure that the Personal Data are adequately protected. To achieve this the Parties shall rely on EU approved contractual clauses for the transfer of Personal Data.
9.1 Each party must keep this Agreement and any information it receives about the other Party and its business related to this Agreement, confidential and neither party shall disclose such information without prior written consent of the other Party unless, (i) disclosure is required by law; or (ii) the relevant information is already in the public domain.
10.1 All notices and communications given under this Agreement must be made in writing and be delivered personally, either sent by post or by email to the address set out in the heading of this Agreement.
11. Governing Law and Jurisdiction
This Agreement is governed by the laws of [Client.State]
In witness whereof, this Agreement is entered into by: