Data Processing Agreement (DPA)

Purpose: This Data Processing Agreement (“Agreement” or “DPA”) is entered into between two parties to ensure compliance with the General Data Protection Regulation (GDPR) when one party processes personal data on behalf of the other. It outlines the responsibilities of the Data Controller and the Data Processor to safeguard personal data and protect the rights and freedoms of individuals.

1. Parties

This Agreement is entered into between:

Data Controller: {controllerCompanyName}, having its registered office at {controllerAddress}

Data Processor: {processorCompanyName}, having its registered office at {processorAddress}

2. Subject Matter

This Agreement governs the processing of personal data by the Processor on behalf of the Controller for the purpose of {processingPurpose}.

3. Duration

The duration of this Agreement shall be {agreementDuration}, unless terminated earlier in accordance with the terms herein.

4. Categories of Data Subjects

The personal data processed under this Agreement relates to the following categories of data subjects:

{#dataSubjects}

• {subjectType}

{/dataSubjects}

5. Categories of Personal Data

The categories of personal data processed are listed as follows:

{#personalData}

• {dataCategory}

{/personalData}

6. Processing Activities

The Processor shall perform the following operations on the personal data:

{#processingActivities}

• {activityDescription}

{/processingActivities}

7. Obligations of the Processor

The Processor shall:

1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation;
2. Ensure that persons authorised to process the personal data have committed themselves to confidentiality;
3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk;
4. Assist the Controller in ensuring compliance with GDPR obligations regarding security, data breach notifications, data protection impact assessments, and consultation with supervisory authorities;
5. Assist the Controller in fulfilling its obligations to respond to requests for exercising data subject rights under GDPR;
6. Delete or return all personal data to the Controller at the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
7. Make available to the Controller all information necessary to demonstrate compliance with GDPR obligations and allow for and contribute to audits.

8. Subprocessors

{#$ subprocessors.length}The Processor may engage subprocessors under this Agreement. Subprocessors currently engaged include:

{/}

{#$ !subprocessors.length}The Processor does not engage any subprocessors under this Agreement.{/}

9. Data Transfers

{#transfersOutsideEU}The Processor may transfer personal data to countries outside the European Economic Area (EEA), provided that such transfers comply with the GDPR requirements for international data transfers.{/transfersOutsideEU}

{^transfersOutsideEU}The Processor does not transfer personal data outside the European Economic Area (EEA).{/transfersOutsideEU}

10. Security Measures

The Processor shall implement at least the following technical and organizational security measures:

{#securityMeasures}

• {measureDescription}

{/securityMeasures}

11. Contact Information

12. Signatures