DATA PROCESSING AGREEMENT

Pursuant to Article 28 of the General Data Protection Regulation (GDPR)

PARTIES

This Data Processing Agreement ("DPA" or "Agreement") is entered into as of [EFFECTIVE DATE] (the "Effective Date") by and between:

(1) DATA CONTROLLER:
[CONTROLLER LEGAL NAME]
[REGISTERED ADDRESS]
[REGISTRATION NUMBER]
(hereinafter referred to as the "Controller")

(2) DATA PROCESSOR:
[PROCESSOR LEGAL NAME]
[REGISTERED ADDRESS]
[REGISTRATION NUMBER]
(hereinafter referred to as the "Processor")

(each a "Party" and together the "Parties")

RECITALS

A. The Controller and Processor have entered into a principal agreement for the provision of services (the "Principal Agreement").

B. In the context of the Principal Agreement, the Processor will process personal data on behalf of the Controller.

C. Pursuant to Article 28(3) of the GDPR, the Parties wish to set out the terms governing such processing.

D. This DPA sets forth the data protection obligations of the Parties pursuant to Article 28 of the GDPR.

1. DEFINITIONS

For the purposes of this Agreement, the following terms shall have the meanings set out below. Terms not defined herein shall have the meanings given in the GDPR.

"Applicable Data Protection Law" means the GDPR and any applicable national laws implementing or supplementing the GDPR.

"Controller" has the meaning given in Article 4(7) of the GDPR.

"Data Subject" has the meaning given in Article 4(1) of the GDPR.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Personal Data" has the meaning given in Article 4(1) of the GDPR and refers to Personal Data Processed under this Agreement.

"Personal Data Breach" has the meaning given in Article 4(12) of the GDPR.

"Processing" has the meaning given in Article 4(2) of the GDPR.

"Processor" has the meaning given in Article 4(8) of the GDPR.

"Sub-processor" means any Processor engaged by the Processor to process Personal Data on behalf of the Controller.

"Supervisory Authority" has the meaning given in Article 4(21) of the GDPR.

2. SCOPE AND DETAILS OF PROCESSING

2.1 Subject Matter and Duration (Article 28(3))

The subject matter, duration, nature, and purpose of Processing, and the types of Personal Data and categories of Data Subjects are set out in Schedule 1 to this Agreement.

2.2 Controller's Processing Instructions

The Processor shall Process Personal Data only in accordance with the Controller's documented instructions, as set out in Schedule 2 to this Agreement, unless required to Process by Union or Member State law to which the Processor is subject (Article 28(3)(a)).

2.3 Compliance with Laws

Each Party shall comply with its respective obligations under Applicable Data Protection Law.

3. PROCESSOR OBLIGATIONS (Article 28(3))

3.1 Processing According to Instructions (Article 28(3)(a))

The Processor shall:

☐ Process Personal Data only on documented instructions from the Controller

☐ Inform the Controller immediately if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions

☐ Not process Personal Data for any purpose other than as instructed by the Controller

3.2 Confidentiality (Article 28(3)(b))

The Processor shall ensure that persons authorized to Process Personal Data:

☐ Have committed themselves to confidentiality, or

☐ Are under an appropriate statutory obligation of confidentiality

3.3 Security Measures (Article 28(3)(c) and Article 32)

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

☐ Pseudonymization and encryption of Personal Data

☐ Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems

☐ Ability to restore availability and access to Personal Data in a timely manner following an incident

☐ Regular testing, assessing, and evaluating the effectiveness of security measures

The security measures are detailed in Schedule 3 to this Agreement.

3.4 Sub-processors (Article 28(3)(d) and Article 28(2))

Prior Authorization:

☐ The Processor shall not engage another processor (Sub-processor) without prior specific written authorization of the Controller

☐ The Processor shall not engage another processor (Sub-processor) without prior general written authorization of the Controller

General Authorization Process:

If general written authorization is provided:
- The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors
- The Controller shall have [NUMBER] days to object to such changes
- Current Sub-processors are listed in Schedule 4

Sub-processor Obligations:

The Processor shall:
- Ensure the same data protection obligations set out in this Agreement are imposed on any Sub-processor
- Remain fully liable to the Controller for the performance of Sub-processor obligations

3.5 Assistance with Data Subject Rights (Article 28(3)(e))

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests exercising their rights under Chapter III of the GDPR (Articles 15-22), taking into account the nature of the Processing.

This includes assistance with requests for:
- Access (Article 15)
- Rectification (Article 16)
- Erasure (Article 17)
- Restriction (Article 18)
- Data portability (Article 20)
- Objection (Article 21)

3.6 Assistance with Compliance (Article 28(3)(f))

The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to:

☐ Article 32 (Security of processing)

☐ Article 33 (Notification of Personal Data Breach to supervisory authority)

☐ Article 34 (Communication of Personal Data Breach to Data Subject)

☐ Article 35 (Data protection impact assessment)

☐ Article 36 (Prior consultation)

Taking into account the nature of processing and the information available to the Processor.

3.7 Data Deletion or Return (Article 28(3)(g))

At the Controller's choice, upon termination of the Principal Agreement, the Processor shall:

☐ Delete all Personal Data processed on behalf of the Controller, and certify such deletion in writing, OR

☐ Return all Personal Data to the Controller and delete existing copies

Unless Union or Member State law requires storage of the Personal Data.

Timeframe for deletion/return: [NUMBER] days after termination

3.8 Audits and Inspections (Article 28(3)(h))

The Processor shall:

☐ Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28

☐ Allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller

Audit notice period: [NUMBER] days

Audit frequency: [SPECIFY]

4. PERSONAL DATA BREACH NOTIFICATION (Article 33)

4.1 Notification to Controller

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data Breach.

Maximum notification timeframe: [NUMBER] hours

4.2 Information to be Provided

The notification shall include, at minimum:
- Description of the nature of the Personal Data Breach
- Categories and approximate number of Data Subjects concerned
- Categories and approximate number of Personal Data records concerned
- Contact details of the Processor's point of contact
- Description of likely consequences
- Description of measures taken or proposed to address the breach

4.3 Documentation

The Processor shall document any Personal Data Breaches, including:
- Facts relating to the breach
- Effects of the breach
- Remedial action taken

5. INTERNATIONAL DATA TRANSFERS

5.1 Restriction on Transfers

The Processor shall not transfer Personal Data to a third country or international organization unless:

☐ The Controller has provided prior written authorization, AND

☐ One of the following conditions is met:

☐ Adequacy decision exists (Article 45)

☐ Standard Contractual Clauses are in place (Article 46(2)(c))

☐ Binding Corporate Rules are in place (Article 46(2)(b))

☐ Other appropriate safeguards under Article 46

☐ Derogation under Article 49 applies

5.2 Transfer Impact Assessment

For transfers relying on Standard Contractual Clauses, the Processor shall:
- Conduct a Transfer Impact Assessment
- Implement supplementary measures where necessary
- Document the assessment and make it available to the Controller

6. LIABILITY AND INDEMNIFICATION

6.1 Liability (Article 82)

Each Party shall be liable in accordance with Article 82 of the GDPR.

6.2 Indemnification

☐ The Processor shall indemnify the Controller against all claims, damages, and expenses arising from the Processor's breach of this Agreement or Applicable Data Protection Law.

☐ Liability limitations are set forth in the Principal Agreement.

7. GENERAL PROVISIONS

7.1 Term and Termination

This Agreement shall remain in effect for the duration of the Principal Agreement and any period thereafter during which the Processor Processes Personal Data on behalf of the Controller.

7.2 Governing Law

This Agreement shall be governed by the laws of [JURISDICTION].

7.3 Amendments

This Agreement may only be amended in writing signed by both Parties.

7.4 Conflict

In the event of any conflict between this Agreement and the Principal Agreement, this Agreement shall prevail with respect to data protection matters.

7.5 Severability

If any provision of this Agreement is found to be unenforceable, the remaining provisions shall continue in full force and effect.

8. EXECUTION

IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the Effective Date.

SCHEDULE 1: DETAILS OF PROCESSING

1. Subject Matter of Processing

[DESCRIBE THE SUBJECT MATTER]

2. Duration of Processing

[SPECIFY DURATION]

3. Nature and Purpose of Processing

[DESCRIBE NATURE AND PURPOSE]

4. Types of Personal Data

☐ Identity data (name, username, etc.)
☐ Contact data (email, phone, address)
☐ Financial data (payment details)
☐ Technical data (IP address, device identifiers)
☐ [OTHER CATEGORIES]

5. Categories of Data Subjects

☐ Customers
☐ Employees
☐ Business contacts
☐ Website visitors
☐ [OTHER CATEGORIES]

6. Special Categories of Personal Data (if applicable)

☐ Not applicable
☐ [SPECIFY WITH LEGAL BASIS UNDER ARTICLE 9(2)]

SCHEDULE 2: CONTROLLER'S DOCUMENTED INSTRUCTIONS

[PROVIDE DOCUMENTED INSTRUCTIONS FOR PROCESSING]

SCHEDULE 3: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Processor implements the following security measures pursuant to Article 32:

Physical Security

☐ [DESCRIBE MEASURES]

Access Controls

☐ [DESCRIBE MEASURES]

Encryption

☐ [DESCRIBE MEASURES]

Backup and Recovery

☐ [DESCRIBE MEASURES]

Personnel Security

☐ [DESCRIBE MEASURES]

Incident Response

☐ [DESCRIBE MEASURES]

SCHEDULE 4: APPROVED SUB-PROCESSORS

DOCUMENT CONTROL

Legal Review: ☐ Completed Date: _________ Reviewer: _________

This Agreement is provided for informational purposes and compliance with Article 28 of the GDPR. It does not constitute legal advice. Consult with qualified legal counsel before use.