Skip to Navigation Skip to Content

🔥 BLACK FRIDAY: 30% off everything. Use code BLKFRI24 at checkout 🔥

How to use our DPA Template

  1. Replace any [Placeholder Text], with your specific details.
  2. Fill out any fields marked _________.
  3. Ensure that your DPA accurately reflects your data practices and complies with the data privacy laws that apply to you.
  4. Regularly review and update your DPA to stay compliant with evolving regulations.
  5. It’s advisable to seek legal counsel to customize this template to your specific circumstances and ensure full compliance.

Are you looking to sort compliance?

If you want to simplify compliance with global data privacy laws, GetTerms is the easiest compliance solution on the market. After asking you a few quick questions, we’ll create all of the legal document’s your business needs. you’ll also get access to our awesome cookie consent management platform!

  • Privacy policyâś…
  • Terms and conditionsâś…
  • EULAâś…
  • Cookie policyâś…
  • Cookie bannerâś…
  • Cookie consent management platformâś…

Trusted by 500k customers. Unlimited policy edits. 100% money-back guarantee.

Try our privacy policy generator

Data Processing Agreement Template

This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between:

[Your Company] and [Processor Company]

 

WHEREAS

 

(A) The Company acts as a Data Controller.

(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.

(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework for data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(D) The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

Definitions and Interpretation

  • 1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
  • 1.1.1. “Agreement” means this Data Processing Agreement and all Schedules;
    • 1.1.2. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company under or in connection with the Principal Agreement;
    • 1.1.3. “Contracted Processor” means a Subprocessor;
    • 1.1.4. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
    • 1.1.5. “EEA” means the European Economic Area;
    • 1.1.6. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
    • 1.1.7. “GDPR” means EU General Data Protection Regulation 2016/679;
    • 1.1.8. “Data Transfer” means:
      • 1.1.8.1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
      • 1.1.8.2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
    • 1.1.9. “Services” means the __________________ services the Company provides.
    • 1.1.10. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
  • 1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Company Personal Data

  • 2.1. Processor shall:
    • 2.1.1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and;
    • 2.1.2. not Process Company Personal Data other than on the relevant Company’s documented instructions.
  • 2.2. The Company instructs Processor to process Company Personal Data.

Processor Personnel

  • 3.1. Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Company’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
  1. Security
  • 4.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
    • 4.2. In assessing the appropriate level of security, the Processor shall take into account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

Subprocessing

  • 5.1. Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.

Data Subject Rights

  • 6.1. Taking into account the nature of the Processing, the Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Company obligations, as reasonably understood by the Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
  • 6.2. Processor shall:
    • 6.2.1. promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
    • 6.2.2. ensure that it does not respond to that request except on the documented instructions of the Company or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the Contracted Processor responds to the request.
  1. Personal Data Breach
  • 7.1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet

What is a Data Processing Agreement (DPA)

A Data Processing Agreement (DPA) regulates how companies use consumer data, especially personally identifiable data (PII). It ensures that data processors follow the agreement’s terms, providing a framework to manage and protect sensitive information. DPAs set clear guidelines for data handling practices, helping companies comply with legal regulations and protect consumer privacy.

Who needs a DPA?

Various types of websites necessitate Data Processing Agreements to regulate the handling of consumer data. These include:

  • Online retailers
  • Internet marketers
  • Affiliates
  • Online service providers
  • Professional services firms
  • B2B companies
  • Financial institutions
  • Technology firms
  • Medical providers

Large companies handling significant data may need to appoint a Data Protection Officer (DPO) to ensure compliance and enforce data privacy policies.

Why Your Company Needs a DPA

Ensuring compliance with jurisdiction-specific laws is imperative. Failure to have DPAs in place may lead to significant penalties. Notable regulations include:

  1. DPAs and the GDPR: The General Data Protection Regulation (GDPR) outlines data processing regulations, applicable to EU countries. DPAs must address rights like the right to opt-out, be informed, disclosure, deletion, and equal services and prices.
  2. DPAs and the CCPA: The California Consumer Privacy Act (CCPA) dictates how companies use consumer data, applicable to both first and third-party service providers and retailers.

Key Terms & Definitions in a DPA

DPAs, like all contracts, contain key terms and provisions crucial for understanding rights and responsibilities:

  • Subject Matter: This refers to the primary focus or subject of the agreement, which in the context of a DPA, is the processing of personal data. It outlines what data will be processed and for what purpose.
  • Duration: This term specifies the period for which the agreement is valid or in effect. It indicates the start and end date of the agreement or may specify conditions under which the agreement can be terminated.
  • Purpose: The purpose of the agreement delineates the reasons for which personal data is being processed. It clarifies the intended use of the data and ensures that it aligns with legal and ethical standards.
  • Data Used: This term defines the types of data that will be processed under the agreement. It includes categories of personal data as well as any special categories of data, such as health or financial information.
  • Data Categorizations: This refers to the classification or categorization of data based on its sensitivity, value, or other criteria. It helps in establishing different levels of protection and handling procedures for various types of data.
  • Rights and Obligations: These are the privileges and duties assigned to each party involved in the agreement. It outlines what the data controller and data processor are responsible for, including compliance with data protection laws and regulations.

Your policy has been copied to the clipboard.