DATA PROTECTION AGREEMENT (INTERNATIONAL)
(Compliant with Regulation (EU) 2016/679 – General Data Protection Regulation (“GDPR”))
[// GUIDANCE: This template is drafted for a Controller–Processor relationship with potential onward transfers outside the European Economic Area. Add or remove modules if the relationship differs (e.g., Processor–Sub-Processor).]
TABLE OF CONTENTS
- Document Header
- Definitions
- Operative Provisions
3.1 Processing Scope & Instructions
3.2 Compliance with Applicable Data Protection Law
3.3 Sub-Processing
3.4 Security of Processing
3.5 International Data Transfers
3.6 Cooperation & Data Subject Rights
3.7 Records; DPIA & Consultations
3.8 Deletion or Return of Personal Data - Representations & Warranties
- Covenants & Restrictions
- Default & Remedies
- Risk Allocation
7.1 Indemnification
7.2 Limitation of Liability
7.3 Insurance
7.4 Force Majeure - Dispute Resolution
- General Provisions
- Execution Block
- Annexes
1. DOCUMENT HEADER
This Data Protection Agreement (“Agreement”) is entered into and made effective as of [EFFECTIVE DATE] (“Effective Date”) by and between:
(a) [FULL LEGAL NAME OF DATA EXPORTER], a company incorporated under the laws of [COUNTRY/STATE], with its registered office at [ADDRESS] (“Controller” or “Data Exporter”); and
(b) [FULL LEGAL NAME OF DATA IMPORTER], a company incorporated under the laws of [COUNTRY/STATE], with its registered office at [ADDRESS] (“Processor” or “Data Importer”).
Jurisdiction & Governing Law. Unless expressly stated otherwise herein, this Agreement is governed by and shall be construed in accordance with EU GDPR and the laws of [EU MEMBER STATE CHOSEN FOR GOVERNING LAW] without regard to its conflict-of-laws rules.
Recitals
A. The Controller wishes to engage the Processor to perform certain services that require the Processor to Process Personal Data on the Controller’s behalf.
B. The parties desire to ensure that such Processing is conducted in accordance with GDPR and with due respect for the rights and freedoms of Data Subjects.
C. The parties therefore agree to the terms and conditions set forth below.
2. DEFINITIONS
For ease of reference, capitalized terms have the meanings set out below and shall apply equally to singular and plural forms. Terms not defined herein have the meanings ascribed to them in the GDPR.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means direct or indirect ownership of more than fifty percent (50%) of the voting interests of an entity.
“Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this Agreement, including GDPR and, where relevant, the laws of any other country.
“Data Subject”, “Personal Data”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” shall have the meanings given in GDPR Art. 4.
“International Transfer” means any transfer of Personal Data that is subject to Chapter V GDPR.
“Standard Contractual Clauses” or “SCCs” means the clauses annexed to Commission Implementing Decision (EU) 2021/914, as may be amended or replaced (“2021 SCCs”).
“Technical and Organisational Measures” or “TOMs” means the measures described in Annex II.
[// GUIDANCE: Insert additional defined terms (e.g., “Services,” “Sub-Processor”) as necessary to match the commercial agreement.]
3. OPERATIVE PROVISIONS
3.1 Processing Scope & Instructions
(a) Subject-Matter. The Processor shall Process Personal Data solely for the purpose of providing [DESCRIPTION OF SERVICES] (“Services”) pursuant to [REFERENCE TO MASTER SERVICES AGREEMENT OR STATEMENT OF WORK].
(b) Documented Instructions. The Controller instructs the Processor to Process Personal Data (i) as necessary to provide the Services; (ii) as documented in Annex I; and (iii) as further instructed by the Controller in writing. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
(c) Duration. Processing shall commence on the Effective Date and continue until the earliest of (i) termination or expiry of the Services, or (ii) deletion/return of all Personal Data in accordance with Section 3.8.
3.2 Compliance with Applicable Data Protection Law
The Processor shall comply with all obligations applicable to “processors” under GDPR, including without limitation Articles 28, 29, 30, 32, 33, and 35.
3.3 Sub-Processing
(a) Authorised Sub-Processors. Controller hereby authorises the use of Sub-Processors listed in Annex III.
(b) Appointment Requirements. Prior to engaging any new Sub-Processor, Processor shall:
(i) notify Controller at least [NUMBER] days in advance;
(ii) obtain Controller’s written consent (not to be unreasonably withheld); and
(iii) enter into a written agreement with the Sub-Processor imposing data protection obligations no less protective than those in this Agreement.
(c) Liability. Processor remains fully liable to Controller for any Sub-Processor’s performance under this Agreement.
3.4 Security of Processing
(a) TOMs. Processor shall implement the TOMs described in Annex II and any additional measures required under Article 32 GDPR, taking into account the state of the art, costs, and risks.
(b) Confidentiality. Processor shall ensure that all persons authorised to Process Personal Data are subject to appropriate confidentiality obligations.
3.5 International Data Transfers
(a) SCCs. To the extent any International Transfer occurs, the parties agree that the SCCs (Module 2: Controller-to-Processor) are hereby incorporated by reference and shall apply, with Annexes I–III of this Agreement forming the corresponding Annexes of the SCCs.
(b) Conflicts. In the event of any conflict between this Agreement and the SCCs, the SCCs shall prevail.
(c) Supplemental Measures. Processor shall implement supplemental technical, contractual, and organisational safeguards, as reasonably necessary, to ensure an essentially equivalent level of protection.
3.6 Cooperation & Data Subject Rights
(a) Data Subject Requests. Processor shall promptly, and in any event within [NUMBER OF DAYS] business days, notify Controller of any Data Subject request relating to Personal Data and, if directed by Controller, assist in responding to the request.
(b) Supervisory Authority Inquiries. Processor shall notify Controller without undue delay of any inquiry or inspection by a Supervisory Authority relating to Processing under this Agreement.
(c) Data Protection Impact Assessments. Processor shall provide reasonable assistance to Controller in conducting DPIAs and prior consultations under Articles 35–36 GDPR.
3.7 Records; DPIA & Consultations
Processor shall maintain records of Processing in accordance with Article 30(2) GDPR and make such records available to Controller upon request.
3.8 Deletion or Return of Personal Data
Upon termination or expiration of the Services, Processor shall, at Controller’s choice, delete or return all Personal Data and delete existing copies, unless EU or Member State law requires storage.
4. REPRESENTATIONS & WARRANTIES
4.1 Mutual Representations. Each party represents and warrants that:
(a) it is duly organised, validly existing, and in good standing under the laws of its jurisdiction;
(b) the execution of this Agreement has been duly authorised; and
(c) its performance hereunder will not violate any applicable law or conflict with any other agreement.
4.2 Processor Warranty. Processor further warrants that it has implemented, and will maintain, TOMs sufficient to comply with Article 32 GDPR.
4.3 Survival. The representations and warranties in this Section survive termination of this Agreement for so long as either party Processes Personal Data under this Agreement.
5. COVENANTS & RESTRICTIONS
5.1 Processor shall not:
(a) Process Personal Data for its own purposes;
(b) sell, rent, or lease Personal Data; or
(c) combine Personal Data with data obtained from other sources, except as instructed by Controller.
5.2 Audit Rights.
(a) Processor shall make available to Controller all information necessary to demonstrate compliance with Article 28 GDPR.
(b) Controller may, up to once per 12-month period and upon [NUMBER] days’ prior written notice, conduct or have conducted an audit (including inspections) of Processor’s Processing facilities, provided such audit (i) is during normal business hours, (ii) minimises disruption, and (iii) is subject to confidentiality obligations.
5.3 Notice of Breach. Processor shall notify Controller without undue delay, and in any event within 24 hours after becoming aware, of any Personal Data Breach affecting Personal Data.
6. DEFAULT & REMEDIES
6.1 Events of Default include:
(a) Material breach of Sections 3, 4, 5, or 7;
(b) Failure to cure any non-material breach within [30] days after written notice;
(c) Repeated minor breaches indicating a pattern of non-compliance.
6.2 Cure & Mitigation. Upon an Event of Default, Processor shall promptly:
(a) take all steps necessary to remedy the breach;
(b) provide Controller with a root-cause analysis; and
(c) implement preventive measures.
6.3 Graduated Remedies. If Processor fails to cure within the specified period, Controller may, in escalating order:
(a) suspend the relevant Processing operations;
(b) require Processor to cease all Processing; or
(c) terminate this Agreement and, if applicable, any underlying Services agreement, without penalty.
6.4 Costs & Fees. The defaulting party shall bear all reasonable costs arising from remediation, including third-party forensic services, notifications, and credit monitoring where applicable.
7. RISK ALLOCATION
7.1 Indemnification
Processor shall indemnify, defend, and hold harmless Controller, its Affiliates, and their respective officers, directors, and employees (collectively, “Controller Indemnitees”) from and against all claims, damages, fines, penalties, or costs (including reasonable attorney fees) arising out of or relating to:
(a) Processor’s breach of its obligations under this Agreement; or
(b) Processor’s violation of Applicable Data Protection Law.
[// GUIDANCE: Consider reciprocal indemnity if the parties have balanced bargaining power.]
7.2 Limitation of Liability
(a) GDPR Penalties Carve-Out. Nothing in this Agreement shall limit either party’s liability for administrative fines imposed by a Supervisory Authority or damages payable to Data Subjects under GDPR Art. 82 that are attributable to that party’s breach.
(b) Aggregate Cap. Subject to Section 7.2(a), each party’s total aggregate liability under or in connection with this Agreement shall not exceed [PERCENTAGE]% of the fees paid or payable by Controller to Processor in the [12] months preceding the event giving rise to liability.
(c) Exclusions. Liability is not limited for (i) death or personal injury; (ii) gross negligence or wilful misconduct; or (iii) fraudulent misrepresentation.
7.3 Insurance
Processor shall maintain, at its own expense, cyber/data protection liability insurance with minimum limits of [AMOUNT & CURRENCY] per incident and in the aggregate, and shall provide certificates of insurance upon request.
7.4 Force Majeure
Neither party shall be liable for failure to perform caused by events beyond its reasonable control, except that this Section shall not apply to obligations to protect Personal Data or remedy Personal Data Breaches.
8. DISPUTE RESOLUTION
8.1 Good-Faith Negotiation. The parties shall attempt in good faith to resolve any dispute arising out of or relating to this Agreement within [30] days of written notice of the dispute.
8.2 Limited Arbitration. If the dispute is not resolved through negotiation, and only with respect to monetary claims not exceeding [THRESHOLD AMOUNT & CURRENCY], either party may submit the dispute to binding arbitration under the Rules of Arbitration of the International Chamber of Commerce (“ICC”). Seat of arbitration: [EU CITY]. Language: English. The arbitrator’s decision shall be final and binding, subject to enforcement in any competent court.
8.3 Court Proceedings & Forum Selection. For all other disputes, the parties irrevocably submit to the exclusive jurisdiction of the courts of [EU MEMBER STATE CITY].
8.4 Injunctive Relief. Notwithstanding Sections 8.1–8.3, either party may seek immediate injunctive or other equitable relief before any competent court to protect Personal Data or secure compliance with this Agreement.
9. GENERAL PROVISIONS
9.1 Amendments & Updates. Any amendment must be in writing and signed by authorised representatives of both parties. Processor may propose updates required by changes in Applicable Data Protection Law; Controller shall not unreasonably withhold consent.
9.2 Assignment. Neither party may assign or transfer any of its rights or obligations under this Agreement without the prior written consent of the other, except to an Affiliate or successor in a merger or sale of substantially all assets, provided such assignee agrees in writing to be bound by this Agreement.
9.3 Severability. If any provision is held unenforceable, the remainder shall remain in full force, and the invalid provision shall be replaced by a valid provision that most closely reflects the parties’ intent.
9.4 Entire Agreement. This Agreement (including its Annexes and the SCCs) constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior agreements or understandings.
9.5 Waiver. No failure or delay by either party in exercising any right hereunder shall constitute a waiver of that or any other right.
9.6 Counterparts & Electronic Signatures. This Agreement may be executed in counterparts, each of which shall be deemed an original. Electronic signatures (including via DocuSign or similar) shall be deemed to have the same legal effect as original signatures.
10. EXECUTION BLOCK
| CONTROLLER | PROCESSOR |
|---|---|
| [FULL LEGAL NAME] | [FULL LEGAL NAME] |
| By: ________ | By: ________ |
| Name: [PRINTED NAME] | Name: [PRINTED NAME] |
| Title: [TITLE] | Title: [TITLE] |
| Date: _____ | Date: _____ |
[// GUIDANCE: Insert notarisation or witness lines only if mandated by the governing jurisdiction or internal corporate policy.]
11. ANNEXES
Annex I – Details of Processing
A. Categories of Data Subjects: [EMPLOYEES, CUSTOMERS, ETC.]
B. Categories of Personal Data: [IDENTIFY DATA TYPES]
C. Special Categories (if any): [BIOMETRIC, HEALTH, ETC.]
D. Purpose & Nature of Processing: [E.G., HOSTING, SUPPORT]
E. Duration/Retention: [TERM + X DAYS]
Annex II – Technical & Organisational Measures
1. Encryption in transit (TLS 1.2+) and at rest (AES 256-bit).
2. Access controls: Role-based, principle of least privilege.
3. Incident response plan with <24-hour breach notification.
4. Regular penetration testing and vulnerability scans.
5. Business continuity & disaster recovery procedures.
[// GUIDANCE: Replace, expand, or detail the TOMs to reflect actual practices; vague or aspirational language can jeopardise compliance.]
Annex III – Authorised Sub-Processors
| Name | Address | Service Description | Location |
|------|---------|--------------------|----------|
| [SUB-PROCESSOR 1] | | | |
| [SUB-PROCESSOR 2] | | | |
Annex IV – Standard Contractual Clauses (2021)
[// GUIDANCE: Attach completed SCCs or incorporate by reference as permitted. Ensure the correct module and optional clauses are selected.]
[// GUIDANCE: Before execution, verify alignment between this Agreement, the commercial contract, and the parties’ actual data flows. Perform a Transfer Impact Assessment (TIA) if Personal Data will be transferred to jurisdictions without an adequacy decision.]