Data Processing Agreement Template

This Data Processing Agreement ('Agreement') is entered into between: Data Controller: [controllerName], located at [controllerAddress] ('Controller') Data Processor: [processorName], located at [processorAddress] ('Processor') This Agreement forms part of the service agreement between the parties and governs the Processor's processing of personal data on behalf of the Controller in accordance with Article 28 GDPR.

In this Agreement, the following terms have the meanings set out in Article 4 GDPR: 'Personal Data' means any information relating to an identified or identifiable natural person; 'Processing' means any operation performed on personal data; 'Data Subject' means the identified or identifiable natural person; 'Supervisory Authority' means the independent public authority responsible for monitoring the application of the GDPR. Capitalised terms not defined herein have the meanings given to them in the GDPR.

The Processor shall process personal data on behalf of the Controller for the following purpose(s): [processingPurpose]. The categories of personal data processed include: [dataCategories]. The categories of data subjects include: [dataSubjectCategories]. The duration of processing shall be for the term of the underlying service agreement between the parties, unless otherwise specified.

The Processor shall: (a) process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by Union or Member State law (Article 28(3)(a)); (b) ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b)); (c) take all measures required pursuant to Article 32 GDPR regarding security of processing (Article 28(3)(c)); (d) respect the conditions for engaging sub-processors as set out in Section 6 (Article 28(3)(d)); (e) assist the Controller in fulfilling data subject rights requests (Article 28(3)(e)); (f) assist the Controller in ensuring compliance with Articles 32–36 GDPR (Article 28(3)(f)); (g) at the choice of the Controller, delete or return all personal data upon termination of services (Article 28(3)(g)); (h) make available to the Controller all information necessary to demonstrate compliance and allow for audits (Article 28(3)(h)).

The Controller shall: (a) provide documented processing instructions to the Processor; (b) ensure that the processing of personal data complies with the GDPR and all applicable data protection laws; (c) conduct data protection impact assessments where required; (d) respond to data subject requests in a timely manner with the Processor's assistance; and (e) notify the Processor of any changes to processing instructions that may affect the Processor's obligations.

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended additions or replacements of sub-processors, giving the Controller the opportunity to object. Current sub-processors: [subProcessors]. The Processor shall impose the same data protection obligations on sub-processors by way of a contract, ensuring in particular that sufficient guarantees are provided to implement appropriate technical and organisational measures.

The Processor shall assist the Controller, by appropriate technical and organisational measures and insofar as possible, in the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR. This includes requests for access, rectification, erasure, restriction, portability, and the right to object. The Processor shall promptly notify the Controller of any data subject request received directly.

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. These measures include, as appropriate: (a) pseudonymisation and encryption of personal data; (b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include: (a) the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned; (b) the name and contact details of the data protection officer or other point of contact; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach, including measures to mitigate its effects.

The Processor shall not transfer personal data to a third country or international organisation without the prior written consent of the Controller. Any transfer shall be subject to appropriate safeguards as required by Chapter V GDPR, including Standard Contractual Clauses, adequacy decisions, or Binding Corporate Rules.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this Agreement, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other data protection provisions.

Upon termination of the service agreement, the Processor shall, at the choice of the Controller: (a) return all personal data to the Controller in a structured, commonly used, and machine-readable format; or (b) delete all personal data and certify in writing that deletion has been completed. This obligation does not apply to the extent that the Processor is required by Union or Member State law to retain the personal data.

Each party shall be liable for damage caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing where it has not complied with obligations specifically directed to processors under the GDPR or where it has acted outside or contrary to lawful instructions of the Controller. This Agreement is effective as of 2026-04-26.