Specimen Data Processing Agreement
Specimen Data Processing Agreement
28 para. 3 GDPR
Disclaimer:
This specimen data processing agreement does not claim to be comprehensive, and is primarily
intended to aid in cases, where IT services are being outsourced.
This specimen data processing agreement is intended only for information purposes and represents
no legal advice or any other advice or consulting by e-comply.io.
This specimen data processing agreement is based on the publicly available template by the Bavarian
Data Protection Authority (BayLDA).
Data processing agreement
Between the client ( hereinafter being referred to as „controller“)
______________________________________
and the service provider (hereinafter being referred to as „processor“) according to Art. 28 para. 3
GDPR
______________________________________
3. Nature and purpose of the processing, nature of the personal data, the category of
the natural person
(1) Nature of processing (according to Art. 4 no. 2 GDPR)
(2) category of the natural person affected (according to Art. 4 no. 1 GDPR)
(3) nature of the personal data (according to Art. 4 No. 1, 13, 14 and 15 GDPR)
5. Persons with the power to issue instructions on the side of the controller,
recipient of instructions on the side of the processor
(1) Persons with the power to issue instructions on the side of the controller are
Name, Surname
Department
Name, Surname
Department
Name, surname
Department
(8) The processor has to correct, delete or adjust the use of personal data if the controller demands
him to do so and the processor does not have a legitimate interest to not do as asked.
(9) The processor will alert the controller when he perceives an instruction to be in violation of the law
(Art. 28 para. 3 s. 3 GDPR). The processor is entitled to not follow the instruction until the controller
either changes or confirmed the instruction.
(10) Personal Data may only be disclosed by the processor to third parties or the parties concerned
with the prior approval of the controller.
(11) The processor agrees that, after making an appointment to do so, the controller, or an
authorized third party, has the right to inspect if all contractual and legal duties are fulfilled by the
processor, though inquiries and inspection of facilities. (Art. 28 para. 3 s. 2 lit. h GDPR)
(12) The processor agrees to aid in these controls as far as appropriate
(13) In the case, that private data is processed in private residences, the controller has to approve
this. The possibility for an inspection of the of the private residences of employees by the employer
must be specified in a contract. The measures under Art. 32 GDPR have to be ensured.
(14) The processor is obliged to treat all knowledge of personal data acquired within the framework of
the contractual relationship as confidential. This obligation shall remain in force even after the
termination of the contract.
(15) The processor is further obliged to follow the following domestic laws to protect confidential
information, that the controller is obliged to follow
(16) The processor ensures, that all employees are acquainted with the relevant data protection
provisions and are bound in an appropriate manner to maintain confidentiality even after they are no
longer employed by the processor. (Art. 28 para. 3 s. 2 lit. b and Art. 29 GDPR). The processor has to
ensure compliance with data protection regulation in his business.
(17) In the case that the property or the personal data of the controller is jeopardised through third-
party actions, insolvency or composition proceedings or any other incidents, the processor has to
inform the controller immediately.
(18) The processor appoints as data protection officer
Name, surname
Department
Phone number
Any changes to that post need to be communicated to the controller immediately.
(3) The following data protection concept presents a selection of the technical and organisational
measures taken by the processor to detect risks in the IT-System and processing operations.
(4) The following procedure to regularly evaluate, assess and review the effectiveness of the technical
and organisational measures is put in place to ensure processing in compliance with data protection
regulation is binding.
(5) The processor is obliged to evaluate, assess and review the effectiveness of the technical and
organisational measures put in place to ensure processing in compliance with data protection
regulation critically as needed, but at least once a year (Audit). (Art. 32 para. 1 lit. d GDPR)
The results of the Audit are to be presented to the controller.
If needed: The risk assessment was certified/audited pursuant to Art. 42 GDPR by
_______________________________________________________________________ on (insert
date here)__________________. The complete records of inspections can be viewed by the
controller at any time.
(6) The decision on security relevant changes to the organisation of the data processing needs to be
decided on between the controller and the processor.
(7) The processor's measures can be updated in accordance with the technical development, the
agreed upon standards cannot be lowered. Significant changes must be documented and agreed
upon by the contracting parties. These agreements need to be stored for the duration of this contract.
(8) When the measures of the processor are not meeting the requirements of the controller, the
controller needs to be informed.
10. The obligation of the processor after the contract has been completed, Art. 28
para. 3 s. 2 lit. g GDPR
After the contract has been completed the processor has to hand all data and documents connected
to the contract in his or his subcontractors' possession over to the controller. Alternatively all data and
documents connected to the contract can be permanently destroyed/deleted. The destruction/deletion
needs to be confirmed in writing.
11. Liability
Referring to Art. 82 GDPR.