Data Processing Agreement

The Data Processing Agreement is a legal document that outlines the obligations and responsibilities of the parties involved in the processing of personal data. It is entered into between the Controller and the Processor, who are parties to a Master Contract. The purpose of this Agreement is to set out additional obligations for the processing of personal data and define the procedures, mutual rights, and responsibilities of the parties.

 

The Agreement begins with an interpretation section, which includes definitions of key terms such as Data Protection Laws, EU GDPR, UK GDPR, Processor, Controller, Data Subject, Personal Data, Process, and Processing. These definitions provide clarity and ensure that both parties have a common understanding of the terms used throughout the Agreement.

 

The term of the Agreement is defined, stating that it will be effective from the date of signing and will continue as long as the Master Contract remains in effect. It also specifies that any breach of this Agreement will be considered a breach of the Master Contract.

 

The Agreement then addresses the processing of Controller Personal Data by the Processor. It states that during the term of the Agreement, the Processor will process the Controller Personal Data as described in Schedule 1. It also clarifies that the Controller Personal Data does not include any personal data relating to criminal convictions and offences or related security measures.

 

The purpose of the processing is defined in Schedule 1, along with the categories of personal data, any special categories of personal data, and the categories of data subjects involved. This section provides a clear understanding of the scope of the processing activities.

 

The Processor's data protection obligations are outlined in detail. The Processor is required to comply with all Data Protection Laws and other relevant laws, regulations, orders, and statutory instruments. They must ensure that the Controller Personal Data is only processed as necessary for the purposes set out in the Agreement and not for any incompatible purposes. The Processor must process the Controller Personal Data in accordance with the documented instructions issued by the Controller and may transfer the data to its personnel as necessary, ensuring that they are subject to contractual confidentiality obligations. The Processor is prohibited from engaging third parties or subcontractors to process the data without the Controller's permission. Additionally, the Processor must implement appropriate technical and organizational measures to ensure the security of the Controller Personal Data.

 

The Agreement includes provisions for handling data subject requests, complaints, and correspondences. The Processor is required to provide assistance to the Controller in fulfilling its statutory obligations regarding data subject requests and any other correspondence, inquiries, or complaints related to the processing of Controller Personal Data.

 

In the event of a data breach, the Processor must notify the Controller without undue delay and provide a report describing the breach, its consequences, and the measures taken to address and mitigate the damage. The Processor is also responsible for promptly informing the Controller if the Controller Personal Data is lost, destroyed, damaged, corrupt, or unusable.

 

Data retention and the return of Controller Personal Data are addressed in the Agreement. The Processor is prohibited from retaining or processing the data longer than necessary, except as required by statutory or professional retention periods. Upon termination or expiry of the Agreement, the Processor must destroy or return all Controller Personal Data upon the Controller's written request, unless retention is required by applicable laws.

 

The Agreement includes provisions for compliance and audit. The Controller reserves the right to conduct an audit or inspection of the Processor's records and arrangements for processing Controller Personal Data. The audit may be conducted by the Controller's personnel or an independent auditor, and the Processor is obligated to provide access to records and cooperate during the audit.

 

Indemnity provisions state that the Processor shall indemnify the Controller against any liabilities, costs, expenses, damages, and losses resulting from a breach of Data Protection Laws by the Processor, its employees, or agents.

 

The Agreement also covers amendment, assignment, severability, force majeure, and other general provisions to ensure the enforceability and validity of the Agreement.

 

The Agreement concludes with a jurisdiction clause and provisions for notices and service. It specifies the addresses of the parties for the purpose of serving notices and allows for various methods of service.

 

The Agreement may be executed in counterparts, and each counterpart is considered an original, forming one instrument.

 

Overall, the Data Processing Agreement is a comprehensive document that establishes the rights, obligations, and procedures for the processing of personal data between the Controller and the Processor.

How to use this document?

To use the Data Processing Agreement effectively, follow these steps:

1. Familiarize yourself with the Agreement: Read the entire Agreement carefully to understand its purpose, scope, and obligations.

2. Incorporate the Agreement into the Master Contract: Ensure that the Data Processing Agreement is incorporated as an appendix to the Master Contract and is subject to its terms.

3. Define key terms: Understand the definitions provided in the Agreement, such as Data Protection Laws, EU GDPR, UK GDPR, Processor, Controller, Data Subject, Personal Data, Process, and Processing.

4. Determine the term of the Agreement: Note the effective date of the Agreement and its termination conditions, which are tied to the termination of the Master Contract.

5. Identify Controller Personal Data: Review Schedule 1 to understand the nature of the processing, categories of personal data, any special categories of personal data, and the categories of data subjects involved.

6. Ensure compliance with Data Protection Laws: Both the Controller and the Processor must comply with all applicable Data Protection Laws and other relevant laws, regulations, orders, and statutory instruments.

7. Implement appropriate security measures: The Processor must establish and maintain appropriate technical and organizational measures to ensure the security of the Controller Personal Data.

8. Handle data subject requests and complaints: The Processor must assist the Controller in fulfilling its statutory obligations regarding data subject requests and any other correspondence, inquiries, or complaints related to the processing of Controller Personal Data.

9. Respond to data breaches: In the event of a data breach, the Processor must notify the Controller without undue delay, investigate the breach, and provide a report describing the breach and the measures taken to address and mitigate the damage.

10. Retain and return Controller Personal Data: The Processor must not retain or process the Controller Personal Data longer than necessary and must promptly destroy or return the data upon the Controller's written request.

11. Cooperate with audits and inspections: The Controller reserves the right to conduct audits or inspections of the Processor's records and arrangements for processing Controller Personal Data. The Processor must provide access to records and cooperate during the audit.

12. Ensure indemnity for breaches: The Processor is responsible for indemnifying the Controller against any liabilities, costs, expenses, damages, and losses resulting from a breach of Data Protection Laws.

13. Comply with general provisions: Adhere to the general provisions of the Agreement, such as those related to amendment, assignment, severability, force majeure, and notices.

14. Seek legal advice if necessary: If you have any doubts or concerns about the Agreement or its implications, consult with legal professionals to ensure compliance and understanding.

By following these steps, you can effectively use the Data Processing Agreement to establish a clear framework for the processing of personal data and ensure compliance with applicable laws and regulations.