Legal Document For Our Customers

• 1.1 In this Agreement[, except to the extent expressly provided otherwise]:
  1. "Agreement" means this agreement including any Schedules, and any amendments to this Agreement from time to time;
  2. "Business Day" means any weekday other than a bank or public holiday in [England];
  3. "Business Hours" means the hours of [09:00 to 17:00 GMT/BST] on a Business Day;
  4. "Controller Personal Data" means [any Personal Data that is processed by the Processor on behalf of the Controller under or in relation to] [the Main Contract] OR [this Agreement];
  5. "Data Protection Laws" means [all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Controller Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679)];
  6. "Effective Date" means [the date upon which the Main Contract comes into force] OR [the date of execution of this Agreement];
  7. "Main Contract" means [the contract between the parties dated ][date], as it may be amended and updated from time to time;
  8. "Personal Data" [has the meaning given to it in the Data Protection Laws][ applicable in [the United Kingdom] from time to time];
  9. "Schedule" means any schedule attached to the main body of this Agreement; and
  10. "Term" means [the term of this Agreement, commencing in accordance with Clause 3.1 and ending in accordance with Clause 3.2].

• 2.1 This Agreement supplements the Main Contract.
• 2.2 Any capitalised terms that are:
  1. used in this Agreement;
  2. defined in the Main Contract; and
  3. not defined in this Agreement,
  1. shall in this Agreement have the meanings given to them in the Main Contract.
• 2.3 If there is a conflict between this Agreement and the Main Contract, then [this Agreement] OR [the Main Contract] shall take precedence.
• 2.4 This Agreement shall automatically terminate upon the termination of the Main Contract.
• 2.5 The Main Contract shall automatically terminate upon the termination of this Agreement.

• 3.1 This Agreement shall come into force upon the Effective Date.
• 3.2 This Agreement shall continue in force [indefinitely] OR [until [date], at the beginning of which this Agreement shall terminate automatically] OR [until [event], upon which this Agreement shall terminate automatically], subject to termination in accordance with Clause 2.4, 2.5 or 7 or any other provision of this Agreement.

• 4.1 The Processor has entered into this Agreement, and agrees to the provisions of this Agreement, in consideration for [the payment by the Controller to the Processor of the sum of [GBP 1.00], receipt of which the Processor now acknowledges] OR [[specify consideration]].

• 5.1 [The Processor] OR [Each party] shall comply with the Data Protection Laws with respect to the processing of the Controller Personal Data.
• 5.2 The Controller warrants to the Processor that it has the legal right to disclose all Personal Data that it does in fact disclose to the Processor under or in connection with this Agreement.
• 5.3 The Controller shall only supply to the Processor, and the Processor shall only process, in each case under or in relation to this Agreement, the Personal Data of data subjects falling within the categories specified in Paragraph 1 of Schedule 1 (Data processing information) and of the types specified in Paragraph 2 of Schedule 1 (Data processing information); and the Processor shall only process the Controller Personal Data for the purposes specified in Paragraph 3 of Schedule 1 (Data processing information).
• 5.4 The Processor shall only process the Controller Personal Data during the Term[ and for not more than [30 days] following the end of the Term], subject to the other provisions of this Clause 5.
• 5.5 The Processor shall only process the Controller Personal Data on the documented instructions of the Controller (including with regard to transfers of the Controller Personal Data to [any place outside the European Economic Area])[, as set out in [this Agreement or any other document agreed by the parties in writing]].
• 5.6 The Processor shall promptly inform the Controller if, in the opinion of the Processor, an instruction of the Controller relating to the processing of the Controller Personal Data infringes the Data Protection Laws.
• 5.7 If the Controller agrees in writing to any transfer of Controller Personal Data to [any place outside the European Economic Area] then, unless the Controller agrees otherwise in writing, such transfer shall be made under the standard contractual clauses set out in Schedule 2 (Model contractual clauses).
• 5.8 Notwithstanding any other provision of this Agreement, the Processor may process the Controller Personal Data if and to the extent that the Processor is required to do so by [applicable law]. In such a case, the Processor shall inform the Controller of the legal requirement before processing, unless that law prohibits such information[ on important grounds of public interest].
• 5.9 The Processor shall ensure that persons authorised to process the Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• 5.10 The Processor and the Controller shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Controller Personal Data[, including those measures specified in Paragraph 4 of Schedule 1 (Data processing information)].
• 5.11 The Processor must not engage any third party to process the Controller Personal Data without the prior specific or general written authorisation of the Controller. In the case of a general written authorisation, the Processor shall inform the Controller at least [14 days] in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Controller objects to any such changes before their implementation, then [the Processor must not implement the changes] OR [the Controller may terminate this Agreement on [7 days'] written notice to the Processor, providing that such notice must be given within the period of [7 days] following the date that the Processor informed the Controller of the intended changes] OR [specify consequences of objection]. The Processor shall ensure that each third party processor is subject to [the same] OR [equivalent] legal obligations as those imposed on the Processor by this Clause 5.
• 5.12 As at the Effective Date, the Processor is hereby authorised by the Controller to engage, as sub-processors with respect to Controller Personal Data, [the third parties identified in] OR [third parties within the categories identified in] OR [the third parties, and third parties within the categories, identified in] Paragraph 5 of Schedule 1 (Data processing information).
• 5.13 The Processor shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Controller with the fulfilment of the Controller's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws.
• 5.14 The Processor shall assist the Controller in ensuring compliance with [the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws]. The Processor shall report any Personal Data breach relating to the Controller Personal Data to the Controller within [24 hours] following the Processor becoming aware of the breach. [ The Processor may charge the Controller [at its standard time-based charging rates] for any work performed by the Processor at the request of the Controller pursuant to this Clause 5.14.]
• 5.15 The Processor shall make available to the Controller all information necessary to demonstrate the compliance of the Processor with [its obligations under this Clause 5 and the Data Protection Laws].
• 5.16 The Processor shall, at the choice of the Controller, delete or return all of the Controller Personal Data to the Controller after the provision of services relating to the processing, and shall delete existing copies save to the extent that [applicable law] requires storage of the relevant Personal Data.
• 5.17 The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller[ in respect of [the compliance of the Processor's processing of Controller Personal Data with the Data Protection Laws and this Clause 5]].[ The Processor may charge the Controller [at its standard time-based charging rates] for any work performed by the Processor at the request of the Controller pursuant to this Clause 5.17.]
• 5.18 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance.

• 6.1 Nothing in this Agreement will:
  1. limit or exclude any liability for death or personal injury resulting from negligence;
  2. limit or exclude any liability for fraud or fraudulent misrepresentation;
  3. limit any liabilities in any way that is not permitted under applicable law; or
  4. exclude any liabilities that may not be excluded under applicable law.

• 7.1 Either party may terminate this Agreement by giving to the other party [at least 30 days'] written notice of termination.
• 7.2 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if the other party commits a material breach of this Agreement.
• 7.3 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if:
  1. the other party:
     1. is dissolved;
     2. ceases to conduct all (or substantially all) of its business;
     3. is or becomes unable to pay its debts as they fall due;
     4. is or becomes insolvent or is declared insolvent; or
     5. convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
  2. an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
  3. an order is made for the winding up of the other party, or the other party passes a resolution for its winding up[ (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement)]; or
  4. [if that other party is an individual:
     • that other party dies;
     • as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or
     • that other party is the subject of a bankruptcy petition or order.]

• 8.1 Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): [Clauses 1, 2.2, 2.3, 5.1, 5.3, 5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 5.10, 5.11, 5.12, 5.13, 5.14, 5.15, 5.16, 5.17, 5.18, 6, 8, 10 and 11].
• 8.2 Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party.

• 9.1 Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 9.2):
  1. [[delivered personally or sent by courier], in which case the notice shall be deemed to be received [upon delivery]]; or
  2. [sent by [recorded signed-for post], in which case the notice shall be deemed to be received [2 Business Days following posting]],

providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time.

• 9.2 The parties' contact details for notices under this Clause 9 are as follows:
  1. [in the case of notices sent by the Controller to the Processor, [contact details]; and
  2. in the case of notices sent by the Processor to the Controller, [contact details].
• 9.3 The addressee and contact details set out in Clause 9.2 may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 9.

• 10.1 No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach.
• 10.2 If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted).
• 10.3 This Agreement may not be varied except by a written document signed by or on behalf of each of the parties.
• 10.4 Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement.
• 10.5 This Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party.
• 10.6 Subject to Clause 6, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
• 10.7 This Agreement shall be governed by and construed in accordance with [English law].
• 10.8 The courts of [England] shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement.

• 11.1 In this Agreement, a reference to a statute or statutory provision includes a reference to:
  1. that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
  2. any subordinate legislation made under that statute or statutory provision.
• 11.2 The Clause headings do not affect the interpretation of this Agreement.
• 11.3 References in this Agreement to "calendar months" are to [the 12 named periods (January, February and so on) into which a year is divided].
• 11.4 In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.

The parties have indicated their acceptance of this Agreement by executing it below. SIGNED BY [[individual name] on [...............], the Processor] OR [[individual name] on [...............], duly authorised for and on behalf of the Processor]: ........................................

SIGNED BY [[individual name] on [...............], the Controller] OR [[individual name] on [...............], duly authorised for and on behalf of the Controller]:

• 1. Categories of data subject

  [Specify the categories of data subject whose personal data may be processed]

• 2. Types of Personal Data

  [Specify types of personal data to be processed]

• 3. Purposes of processing

  [Specify purposes for which personal data may be processed]

• 4. Security measures for Personal Data

  [Specify the security measures used to protect personal data]

• 5. Sub-processors of Personal Data

  [Identify sub-processors of personal data]

[Insert model contractual clauses]

This data processing agreement has been designed to help data controllers to transfer personal data to data processors in a way that complies with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

The GDPR will come into force on 25 May 2018. If you have a subsisting data processing agreement that will be replaced by this document, you should specify the effective date of this agreement as a date on or before 25 May 2018.

This agreement may be used to supplement a separated services contract, whether pre-existing or not.

This basic document covers the specific obligations set out in the GDPR, but does not include some of the more detailed provisions that are typically found in data processing agreements covering business-critical, high volume or sensitive personal data processing. In addition, this document does not cover controller or processor company group structures; nor does it cover liabilities/indemnities, audit rights or co-operation rights in any detail.

A word of warning: the GDPR is a complex piece of legislation, and EU member states are free in some areas to apply standards for the protection of personal data that are stricter than those set out in the GDPR. Fines under the GDPR may be large and private individuals may seek damages in respect of breaches. Accordingly, we recommend that you take legal advice on all aspects of GDPR compliance, including your data processing contract arrangements.

Insert the date of execution of the document.

Subsection 1

1. Is the first party an individual, a company or a partnership?
2. What is the full name of the individual (including middle names)?
3. What is the postal address of the first party?
4. What is the full company name of the first party?
5. In which jurisdiction is the first party incorporated?
6. What is the registration number of the first party?
7. What is the registered office address of the first party?
8. What is the name of the first party partnership?
9. In which jurisdiction is the first party partnership established?
10. Where is the principal place of business of the first party?

Subsection 2

1. Is the second party an individual, a company or a partnership?
2. What is the full name of the individual (including middle names)?
3. What is the postal address of the second party?
4. What is the full company name of the second party?
5. In which jurisdiction is the second party incorporated?
6. What is the registration number of the second party?
7. What is the registered office address of the second party?
8. What is the name of the second party partnership?
9. In which jurisdiction is the second party partnership established?
10. Where is the principal place of business of the second party?

Do you wish to include in the document a description of the background to the document?

Subsection 1

1. Explain the background to this document from the perspective of the Processor.

Subsection 2

1. Explain the background to the document from the perspective of the Controller.

Subsection 3

1. It is common to provide a very short summary of what the contract is about.

Clause 1.1

Definition of Business Day

1. The bank and public holidays of which jurisdiction should be excluded from the definition of "Business Day"?

Definition of Business Hours

1. What are business hours for the purposes of this document?

Definition of Term

1. Define "Term", the period during which the contract will subsist.

Optional element.

Clause 2.1

1. Optional element.

Clause 2.2

1. Optional element.

Clause 2.3

1. Optional element.

Clause 2.4

1. Optional element.

Clause 2.5

1. Optional element.

Optional element.

Clause 3.1

1. Is the term of the contract indefinite, or will it come to an end upon some agreed date, or upon the occurrence of a defined event?
2. Upon what date will the contract terminate?
3. Upon the occurrence of what event will the contract terminate?

Should the document include a provision specifying the consideration provided by the second party to the first party?

In English law, a contract must be supported by consideration, ie some kind of quid pro quo. The consideration may be nominal. This sort of provision may be required if it is unclear what benefit the first party is getting from the contract. An alternative approach in these circumstances is to execute the document as a deed.

Clause 4.1

1. Will monetary consideration be provided to the first party, or some other form of consideration?
2. What amount will be paid by the second party to the first party by way of consideration? The amount may be a nominal amount.
3. Specify the consideration provided by the second party to the first party.

This provision is designed to help the parties to a data processing arrangement to comply with the General Data Protection Regulation (GDPR), in force from 25 May 2018.

In addition to a set of specific requirements, the GDPR includes a general obligation on data controllers to ensure compliance:

"Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (Article 28(1))

One aspect of ensuring compliance is the use of an appropriate written contract:

"Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller." (Article 28(3))

The drafting in these provisions closely reflects the language of the GDPR.

Clause 5.1

1. Optional element.

Clause 5.2

1. Optional element.

Clause 5.3

1. Article 28(2)(a) of the GDPR provides that the controller-processor contract must stipulate that the controller "processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation

Clause 5.4

1. Optional element.
   The final section of Article 28(3) of the GDPR reads: "With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions." The cross-reference in the legislation is presumably a mistake, and should point at Article 28(3)(a). In any case, it is not clear from the legislation whether this provision needs to be part of the processing contract.

Clause 5.5

1. Optional element.

Clause 5.6

Article 28(2)(a) of the GDPR provides that the controller-processor contract must stipulate an exception to the general rule that personal data may only be processed on the data controller's instructions: " ... unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest".

Note the distinction between "Union or Member State law" in the GDPR and "applicable law" in the draft provision. There is a possibility of conflict between legal obligations here. Similarly, if applicable law prohibits the notification to the controller of legally-mandated processing, then in principle that might not be on "important grounds of public interest".

Clause 5.7

Article 28(3)(b) of the GDPR provides that the controller-processor contract must stipulate that the processor "ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality".

Clause 5.8

Article 28(3)(b) of the GDPR provides that the controller-processor contract must stipulate that the processor "ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality".

Clause 5.9

Article 28(3)(c) of the GDPR provides that the controller-processor contract must stipulate that the processor "takes all measures required pursuant to Article 32".

Article 32 provides that:

• 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
• 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
• 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
• 4. Adherence to an aThe controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law."pproved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

Clause 5.10

Article 28(2) of the GDPR provides that: "The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes".

Article 28(4) provides that: "Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations."

Article 28(3)(d) provides that the controller-processor contract should stipulate that the processor "respects the conditions referred to in paragraphs 2 and 4 for engaging another processor".

Clause 5.11

Optional element.

Clause 5.12

Article 28(3)(e) of the GDPR provides that controller-processor contracts must stipulate that the processor "taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III".

Clause 5.13

Article 28(3)(f) of the GDPR provides that the controller-processor contract must stipulate that the processor "assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor".

Clause 5.14

Article 28(3)(h): the contract must require that the data processor "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...".

The draft clause here is wider, covering compliance with any data protection legislation.

Clause 5.15

Article 28(3)(g) of the GDPR requires that the controller-processor contract stipulates that the processor "at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data".

NB this is slightly different from the suggested contract provision, which refers instead to "applicable law". Clearly, there could be a conflict here between the requirements of the law of a non-EU jurisdiction and the requirements of EU law.

Clause 5.16

Article 28(3)(h): the contract must require that the data processor "allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller".

The suggested qualification to the scope of audits is not expressly permitted in the legislation.

Clause 5.17

Optional element.

Consider whether additional rights of termination may be required in the event that the parties are unable to agree a suitable variation.

Clause 6.1

Do not delete this provision (except upon legal advice). Without this provision, the specific limitations and exclusions of liability in the document are more likely to be unenforceable.

Optional element.

Clause 7.1

Optional element.

1. What notice period will apply to termination without cause by either party?

Clause 7.2

Optional element.

Clause 7.3

Optional element.

1. Will the winding up of a party as part of a solvent company reorganisation give rise to a right of termination for the other party?
2. Will or might a party to the document be an individual, rather than a corporate entity?

Optional element.

Clause 8.1

Optional element.

1. Insert all required addressee, address and contact details for contractual notices sent to the Processor.
2. Insert all required addressee, address and contact details for contractual notices sent to the Controller.

Clause 9.1

Optional element.

Clause 9.2

Optional element.

Clause 9.3

Optional element.

This is intended to prevent, for example, one party wrongfully claiming that a term of the contract was changed in a telephone call.

Clause 9.4

Optional element.

Clause 9.5

Optional element.

This provision is designed to exclude any rights a third party may have under the Contracts (Rights of Third Parties) Act 1999.

Clause 9.6

Optional element.

Clause 9.7

This template has been drafted to work in the English law context. If you plan to change the governing law, you should have the document reviewed by someone with expertise in the law of the relevant jurisdiction.

1. Which law will govern the document?

Clause 9.7

Optional element.

As a practical matter, it makes sense for the courts with expertise in the relevant law to have the right to adjudicate disputes. Where one of the parties is outside England (or at least the UK), you may want to grant the courts of their home jurisdiction the right to adjudicate disputes, as this could ease enforcement in some circumstances.

Should provisions concerning the interpretation of the document be included?

Clause 10.1

Optional element.

Clause 10.2

Optional element.

Clause 10.3

Optional element.

Clause 10.4

Optional element.

This provision is designed to exclude the application of a rule of interpretation known as the ejusdem generis rule. That rule may affect the interpretation of contractual clauses that list particular examples or instances of some more general idea, by limiting the scope of the general idea by reference to those particular examples or instances.

Subsection: Execution of contract by first party (individual, company or partnership)

1. Will the contract be signed by the (first party) contracting individual, or a person on behalf of the (first party) contracting entity?
2. What is the full name of the first party signatory?
3. On what date is the first party signing the contract?
4. Add the full name of the person who will sign the document on behalf of the first party.
5. On what date is the contract being signed on behalf of the first party?

Subsection: Execution of contract by second party (individual, company or partnership)

1. Will the contract be signed by the (second party) contracting individual, or by a person on behalf of the (second party) contracting entity?
2. What is the full name of the second party signatory?
3. On what date is the second party signing the contract?
4. Add the full name of the person who will sign the document on behalf of the second party
5. On what date is the contract being signed on behalf of the second party?

Paragraph 4: Security measures for Personal Data

Optional element.

Paragraph 5: Sub-processors of Personal Data

Optional element.

Optional element.

For information about, and copies of, the model contractual clauses, see: http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm