0% found this document useful (0 votes)
46 views9 pages

Specimen Data Processing Agreement

This document is a specimen data processing agreement between a controller and processor in accordance with Article 28(3) of the GDPR. It outlines the obligations of both parties, including: the processor will only process personal data according to the controller's instructions; the processor must implement appropriate technical and organizational security measures; the controller retains control and can audit the processor; the processor must notify the controller of any personal data breaches. The agreement also specifies the duration, purposes and nature of the data processing, as well as the rights and obligations of both parties.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
46 views9 pages

Specimen Data Processing Agreement

This document is a specimen data processing agreement between a controller and processor in accordance with Article 28(3) of the GDPR. It outlines the obligations of both parties, including: the processor will only process personal data according to the controller's instructions; the processor must implement appropriate technical and organizational security measures; the controller retains control and can audit the processor; the processor must notify the controller of any personal data breaches. The agreement also specifies the duration, purposes and nature of the data processing, as well as the rights and obligations of both parties.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Specimen data processing agreement in accordance with Art.

28 para. 3 GDPR

Disclaimer:
This specimen data processing agreement does not claim to be comprehensive, and is primarily
intended to aid in cases, where IT services are being outsourced.

This specimen data processing agreement is intended only for information purposes and represents
no legal advice or any other advice or consulting by e-comply.io.

This specimen data processing agreement is based on the publicly available template by the Bavarian
Data Protection Authority (BayLDA).
Data processing agreement
Between the client ( hereinafter being referred to as „controller“)
______________________________________

and the service provider (hereinafter being referred to as „processor“) according to Art. 28 para. 3
GDPR
______________________________________

1. The subject of this agreement, no transfer of personal data to third-party nations


(1) To fulfill their obligations under this contract (name specific contract and obligations here)
______________________________ from (insert date here) ____________, the processor is
processing personal data for the controller under this contract within the meaning of Art. 4 no. 2 and
Art. 28 GDPR.
(2) The processor will exclusively perform the agreed upon service within the borders of member
states of the European Union (EU) and the European Economic Area (EEA). Any partial or complete
relocation of the work process by which the agreed upon service is performed to a third party state,
requires prior approval of the controller and needs to be in accordance with Art. 44-49 GDPR.

2. Duration of this agreement


(1) The parties agree to this agreement, interdependently from any other contractual obligations, for
an indefinite period. The period of notice is one calendar month. The termination of the contract takes
place at the end of the respective calendar month.
(2) The controller can terminate the agreement without complying with the period of notice on
significant grounds. These significant ground are:
● a significant breach of this agreement or violation of the data protection regulations;
● non-implementation of the instructions of the controller;
● denial of the rights of control of the controller by the processor that is contrary to the
agreement,
● breach of the obligations laid out in this agreement or art 28 GDPR.

3. Nature and purpose of the processing, nature of the personal data, the category of
the natural person
(1) Nature of processing (according to Art. 4 no. 2 GDPR)

(2) category of the natural person affected (according to Art. 4 no. 1 GDPR)
(3) nature of the personal data (according to Art. 4 No. 1, 13, 14 and 15 GDPR)

4. Rights, obligations and rights of control of the controller


(1) The controller is exclusively responsible for the legal admissibility of the processing in accordance
with Art. 6 para. 1 GDPR and the observance of rights of persons affected under Art.12 to 22 GDPR.
The processor is obligated to immediately forward all inquiries, possibly by persons affected, that are
recognisably directed solely towards the controller.
(2) All changes to the nature of the data processed or the process itself needs to be agreed upon by
both the controller and the processor and needs to be documented in writing or electronically.
(3) The controller issues all orders, partial orders and instructions electronically or in writing. Oral
instructions need to be confirmed in writing or electronically.
(4) Before the beginning of the processing as well as regularly and appropriately afterwards the
controller has the right to ensure that all technical and organizational measures and contractual
obligations under this agreement are adhered to by the processor.
(5) The controller has to inform the processor immediately when he detects irregularities in the
processing results.
(6) The controller has the obligation to keep, all under the contractual relationship obtained
confidential information, confidential. This obligation shall remain in force even after the termination of
the contract.

5. Persons with the power to issue instructions on the side of the controller,
recipient of instructions on the side of the processor
(1) Persons with the power to issue instructions on the side of the controller are

Name, Surname

Department

(If applicable) Substitute

(2) Recipients of instructions on the side of the processor are

Name, Surname

Department

(If applicable) Substitute


(3) In the case of any changes or extended periods of non-availability of the person of contact, the
contracting party has to be informed immediately, in writing or electronically, of who the successor is.
6. The obligation of the processor
(1) The processor confirms that they are aware of all relevant provisions in the GDPR.
(2) The processor only processes personal data in accordance with the provisions of this contract and
the instructions issued by the controller. In the case, that the processor is obliged by the law of the
European Union or one of its member states to process the data in a different way, they have to
inform the controller of this legal obligation if they are not prohibited to inform the controller on the
grounds of a substantial public interest (Art. 28 para. 2 s. 2 lit. a GDPR)
(3) The processor ensures that the data processed for the controller is strictly separated from other
stored data. Data carrier by the controller or used for processing the controllers' data are marked as
his. Their use is documented.
(4) The processor has to perform the following regular inspections for the controller:

(5) The result of the inspections need to be documented


(6) The processor does not use the personal data handed to him by the controller for anything but the
uses stipulated. No data may be copied or duplicated without the approval of the controller.
(7) The processor has to assist the controller, as far as appropriate (Art. 28 para. 3 s. 2 lit. e, f GDPR)
in fulfilling the rights of the persons affected under Art. 12 to 22 GDPR, by providing relevant
information.
The person that will receive the information for the controller is:

Name, surname

Department

Address/ e-mail/ phone number

(8) The processor has to correct, delete or adjust the use of personal data if the controller demands
him to do so and the processor does not have a legitimate interest to not do as asked.
(9) The processor will alert the controller when he perceives an instruction to be in violation of the law
(Art. 28 para. 3 s. 3 GDPR). The processor is entitled to not follow the instruction until the controller
either changes or confirmed the instruction.
(10) Personal Data may only be disclosed by the processor to third parties or the parties concerned
with the prior approval of the controller.
(11) The processor agrees that, after making an appointment to do so, the controller, or an
authorized third party, has the right to inspect if all contractual and legal duties are fulfilled by the
processor, though inquiries and inspection of facilities. (Art. 28 para. 3 s. 2 lit. h GDPR)
(12) The processor agrees to aid in these controls as far as appropriate
(13) In the case, that private data is processed in private residences, the controller has to approve
this. The possibility for an inspection of the of the private residences of employees by the employer
must be specified in a contract. The measures under Art. 32 GDPR have to be ensured.
(14) The processor is obliged to treat all knowledge of personal data acquired within the framework of
the contractual relationship as confidential. This obligation shall remain in force even after the
termination of the contract.
(15) The processor is further obliged to follow the following domestic laws to protect confidential
information, that the controller is obliged to follow
(16) The processor ensures, that all employees are acquainted with the relevant data protection
provisions and are bound in an appropriate manner to maintain confidentiality even after they are no
longer employed by the processor. (Art. 28 para. 3 s. 2 lit. b and Art. 29 GDPR). The processor has to
ensure compliance with data protection regulation in his business.
(17) In the case that the property or the personal data of the controller is jeopardised through third-
party actions, insolvency or composition proceedings or any other incidents, the processor has to
inform the controller immediately.
(18) The processor appoints as data protection officer

Name, surname

Department

Phone number
Any changes to that post need to be communicated to the controller immediately.

7. Processors duty to inform in cases of interruptions in processing and interface with


the protection of personal data.
The processor informs the controller immediately in cases of disturbances, violations by the processor
or his employees against data protection regulation or contractual obligations, as well as irregularities
in the process. This is particularly applicable in regards to the potential information and reporting
obligations of the controller under Art. 33, 34 GDPR. The processor can only report under Art. 33, 34
GDPR if the controller approves. The processor will aid the controller to an appropriate extent in
fulfilling their obligations under Art. 33, 34 GDPR (Art. 28 para. 3 s. 2 lit. f GDPR)

8. The right of the processor to subcontract (Art. 28 para. 3 s. 2 lit. d GDPR)


(1) The processor can only subcontract a third party to process the controller's personal data after
approval by the controller (Art. 28 para. 2 GDPR). The approval can only be given after the controller
has received the name and address of the subcontractor, as well as their intended function. The
processor also has to ensure that the subcontractor is most carefully selected. All relevant inspection
documents must be provided to the controller.
(2) When subcontracting a business from a third-party state the requirements of Art. 44-49 GDPR
must be fulfilled.
(3) The subcontractor must be contractually obliged by the processor to follow all contractually agreed
upon regulations between processor and controller. The contract between subcontractor and
processor must clearly distinguish between respective obligations, and, in the case of more than one
subcontractor, between the obligations of each subcontractor. The controller must have the right to
also inspect the subcontractor, in the same manner as the processor.
(4) The contract with the subcontractor must be in writing, this can also be in an electronic form. (Art.
28 para. 4 and para. 9 GDPR).
(5) The transfer of data to the subcontractor is only permissible after they have fulfilled their
obligations under Art. 29 and Art. 32 para. 4 GDPR regarding their employees.
(6) The processor has to regularly verify the subcontractor’s observance of their obligations. The
results of the inspections need to be made accessible to the controller.
(7) The processor is liable towards the controller for the subcontractor's adherence to their contractual
data protection obligations.
(8) Currently the processor employs the following subcontractors (specified with name, address,
nature of the assignment) to process personal data to the extent specified.
The controller agrees to this.
(9) The processor informs the controller about any changes in regard to the subcontractors, giving the
controller the opportunity to object to such changes. (Art. 28 para. 2 s.2 GDPR)

9. Technical and organizational measures pursuant to Art. 32 GDPR (Art. 28 para. 3


s. 2 lit. c GDPR)
(1) Regarding the specific data processing processes, the rights and the freedoms of the natural
persons affected must be adequately protected. The risk to natural persons affected, must be
contained longterm through appropriate technical and organisational corrective measures put in place
considering the protection objectives pursuant to Art. 32 para. 1 GDPR.
(2) For the processing of personal data, as provided for under the contract, the following methodology
for risk assessment, taking in consideration the probability of occurrence and gravity of the risks
presented to the rights and freedoms of natural persons affected, is used:

(3) The following data protection concept presents a selection of the technical and organisational
measures taken by the processor to detect risks in the IT-System and processing operations.
(4) The following procedure to regularly evaluate, assess and review the effectiveness of the technical
and organisational measures is put in place to ensure processing in compliance with data protection
regulation is binding.

(5) The processor is obliged to evaluate, assess and review the effectiveness of the technical and
organisational measures put in place to ensure processing in compliance with data protection
regulation critically as needed, but at least once a year (Audit). (Art. 32 para. 1 lit. d GDPR)
The results of the Audit are to be presented to the controller.
If needed: The risk assessment was certified/audited pursuant to Art. 42 GDPR by
_______________________________________________________________________ on (insert
date here)__________________. The complete records of inspections can be viewed by the
controller at any time.
(6) The decision on security relevant changes to the organisation of the data processing needs to be
decided on between the controller and the processor.
(7) The processor's measures can be updated in accordance with the technical development, the
agreed upon standards cannot be lowered. Significant changes must be documented and agreed
upon by the contracting parties. These agreements need to be stored for the duration of this contract.
(8) When the measures of the processor are not meeting the requirements of the controller, the
controller needs to be informed.

10. The obligation of the processor after the contract has been completed, Art. 28
para. 3 s. 2 lit. g GDPR
After the contract has been completed the processor has to hand all data and documents connected
to the contract in his or his subcontractors' possession over to the controller. Alternatively all data and
documents connected to the contract can be permanently destroyed/deleted. The destruction/deletion
needs to be confirmed in writing.
11. Liability
Referring to Art. 82 GDPR.

Date, Signature of processor

Date, Signature of controller

You might also like