Website in development + BETA.TESTING ...
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas ac mattis purus, in faucibus turpis. Mauris mauris dolor, ultricies et elit sed, tempus egestas sem.
[Date]
providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time.
The parties have indicated their acceptance of this Agreement by executing it below. SIGNED BY [[individual name] on [...............], the Processor] OR [[individual name] on [...............], duly authorised for and on behalf of the Processor]: ........................................
SIGNED BY [[individual name] on [...............], the Controller] OR [[individual name] on [...............], duly authorised for and on behalf of the Controller]:
[Specify the categories of data subject whose personal data may be processed]
[Specify types of personal data to be processed]
[Specify purposes for which personal data may be processed]
[Specify the security measures used to protect personal data]
[Identify sub-processors of personal data]
[Insert model contractual clauses]
This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
The GDPR will come into force on 25 May 2018. If you have a subsisting data processing agreement that will be replaced by this document, you should specify the effective date of this agreement as a date on or before 25 May 2018.
This agreement may be used to supplement a separated services contract, whether pre-existing or not.
This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.
A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.
Insert the date of execution of the document.
Subsection 1
Subsection 2
Do you wish to include in the document a description of the background to the document?
Subsection 1
Subsection 2
Subsection 3
Definition of Business Day
Definition of Business Hours
Definition of Term
Optional element.
Clause 2.1Optional element.
Clause 3.1Should the document include a provision specifying the consideration provided by the second party to the first party?
In English law, a contract must be supported by consideration, ie some kind of quid pro quo. The consideration may be nominal. This sort of provision may be required if it is unclear what benefit the first party is getting from the contract. An alternative approach in these circumstances is to execute the document as a deed.
Clause 4.1This provision is designed to help the parties to a data processing arrangement to comply with the General Data Protection Regulation (GDPR), in force from 25 May 2018.
In addition to a set of specific requirements, the GDPR includes a general obligation on data controllers to ensure compliance:
"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (Article 28(1))
One aspect of ensuring compliance is the use of an appropriate written contract:
"Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller." (Article 28(3))
The drafting in these provisions closely reflects the language of the GDPR.
Clause 5.1Article 28(2)(a) of the GDPR provides that the controller-processor contract must stipulate an exception to the general rule that personal data may only be processed on the data controller's instructions: " ... unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest".
Note the distinction between "Union or Member State law" in the GDPR and "applicable law" in the draft provision. There is a possibility of conflict between legal obligations here. Similarly, if applicable law prohibits the notification to the controller of legally-mandated processing, then in principle that might not be on "important grounds of public interest".
Clause 5.7Article 28(3)(b) of the GDPR provides that the controller-processor contract must stipulate that the processor "ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality".
Clause 5.8Article 28(3)(b) of the GDPR provides that the controller-processor contract must stipulate that the processor "ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality".
Clause 5.9Article 28(3)(c) of the GDPR provides that the controller-processor contract must stipulate that the processor "takes all measures required pursuant to Article 32".
Article 32 provides that:Article 28(2) of the GDPR provides that: "The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes".
Article 28(4) provides that: "Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations."
Article 28(3)(d) provides that the controller-processor contract should stipulate that the processor "respects the conditions referred to in paragraphs 2 and 4 for engaging another processor".
Clause 5.11Optional element.
Clause 5.12Article 28(3)(e) of the GDPR provides that controller-processor contracts must stipulate that the processor "taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III".
Clause 5.13Article 28(3)(f) of the GDPR provides that the controller-processor contract must stipulate that the processor "assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor".
Clause 5.14Article 28(3)(h): the contract must require that the data processor "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...".
The draft clause here is wider, covering compliance with any data protection legislation.
Clause 5.15Article 28(3)(g) of the GDPR requires that the controller-processor contract stipulates that the processor "at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data".
NB this is slightly different from the suggested contract provision, which refers instead to "applicable law". Clearly, there could be a conflict here between the requirements of the law of a non-EU jurisdiction and the requirements of EU law.
Clause 5.16Article 28(3)(h): the contract must require that the data processor "allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller".
The suggested qualification to the scope of audits is not expressly permitted in the legislation.
Clause 5.17Optional element.
Consider whether additional rights of termination may be required in the event that the parties are unable to agree a suitable variation.
Do not delete this provision (except upon legal advice). Without this provision, the specific limitations and exclusions of liability in the document are more likely to be unenforceable.
Optional element.
Clause 7.1Optional element.
Optional element.
Clause 7.3Optional element.
Optional element.
Clause 8.1Optional element.
Optional element.
Clause 9.2Optional element.
Clause 9.3Optional element.
This is intended to prevent, for example, one party wrongfully claiming that a term of the contract was changed in a telephone call.
Clause 9.4Optional element.
Clause 9.5Optional element.
This provision is designed to exclude any rights a third party may have under the Contracts (Rights of Third Parties) Act 1999.
Clause 9.6Optional element.
Clause 9.7This template has been drafted to work in the English law context. If you plan to change the governing law, you should have the document reviewed by someone with expertise in the law of the relevant jurisdiction.
Optional element.
As a practical matter, it makes sense for the courts with expertise in the relevant law to have the right to adjudicate disputes. Where one of the parties is outside England (or at least the UK), you may want to grant the courts of their home jurisdiction the right to adjudicate disputes, as this could ease enforcement in some circumstances.
Should provisions concerning the interpretation of the document be included?
Clause 10.1Optional element.
Clause 10.2Optional element.
Clause 10.3Optional element.
Clause 10.4Optional element.
This provision is designed to exclude the application of a rule of interpretation known as the ejusdem generis rule. That rule may affect the interpretation of contractual clauses that list particular examples or instances of some more general idea, by limiting the scope of the general idea by reference to those particular examples or instances.
Subsection: Execution of contract by first party (individual, company or partnership)
Subsection: Execution of contract by second party (individual, company or partnership)
Optional element.
Paragraph 5: Sub-processors of Personal DataOptional element.
Optional element.
For information about, and copies of, the model contractual clauses, see: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm