1.

Purpose
This Data Processing Agreement (“DPA”) has been concluded between [doc.Controller] [doc.
(C)Number] (“Us”, “We” or “Our”) and [doc.Processor] [doc.(P)Number] (the “Supplier”) on the
[doc.AgreementDate] and describes the terms and conditions applicable to the processing of
personal data by the Supplier on behalf of Us to the Supplier.
Unless otherwise stated in this DPA, the terms and conditions (including definitions) of the agreement
for services concluded between us and the Supplier (the “Principal Agreement”) shall apply.

2. Definitions
“Data Protection Law(s)” means (a) EU or EU Member State laws applicable to any of our Personal
Data in respect of which the Supplier is subject including, without limitation, the GDPR for so long as it
remains in legal effect; and (b) any other applicable law with respect to our Personal Data in respect
of which the Supplier is subject;
“GDPR” means the Regulation (EU) 2016/679 of the European parliament and the Council of 27 April
2016 on the protection of natural persons with regard to the Processing of Personal Data and on the
free movement of such data, and repealing Directive 95/46/EC, as transposed into domestic
legislation of each Member State and as amended, replaced or superseded from time to time,
including by the GDPR and laws implementing or supplementing the GDPR;
“Personal Data” means any information relating to an identified or identifiable natural person;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or
otherwise Processed; and
“Processing” means any operation or set of operations which is performed upon Personal Data,
whether or not by automatic means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or destruction, “Process”
and “Processed” shall have an equivalent meaning.

3. General
3.1 This DPA is a contract that governs the Processing by the Supplier of Personal Data provided
to the Supplier by us (or our employees, subcontractors or affiliates on our behalf). This DPA
specifies the terms and conditions under which the Supplier Processes such Personal Data on
behalf of us when the Supplier is providing services to us.
3.2 The Parties’ intention is to conclude this DPA in order to comply with the requirements of the
GDPR and other Data Protection Laws.
3.3 We are the data controller (as defined by GDPR) of our Personal Data Processed by the
Supplier under the Principal Agreement, and the Supplier is the data processor (as defined by
GDPR), who Processes the said Personal Data on behalf and in accordance with the
instructions of us under this DPA.
3.4 Annex A to this DPA sets out the categories of data subjects, categories of Processing carried
out by the Supplier, and the purpose for which the Supplier Processes our Personal Data.

4. Our Instructions
4.1 We will provide the Supplier with written instructions on the Processing of Personal Data, and
the Supplier agrees to Process the Personal Data only in accordance with such documented
instructions received from us.
4.2 We will provide the Supplier with written instructions regarding transfers of Personal Data to a
third country, subject to paragraph 7. of this DPA.

Page 1 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

4.3 The Supplier will notify us immediately (unless the applicable legislation prohibits such
notification), if the Supplier considers that the written instructions given by us are in violation of
the Data Protection Laws applicable to the Supplier.

5. General Responsibilities of the Supplier

5.1 The Supplier must Process the Personal Data with due care and in compliance with this DPA
and the Data Protection Laws. The Supplier may not Process Personal Data for any other
purpose than what is stipulated in the Principal Agreement and this DPA.
5.2 The Supplier will keep Personal Data confidential and will not disclose Personal Data in any
way to any third party without prior written approval from us, unless the disclosure is strictly
necessary for the compliance with a mandatory legal obligation.
5.3 The Supplier must implement and maintain appropriate technical and organisational measures
and controls required by Data Protection Laws to ensure sufficient security of Processing and to
prevent Personal Data Breaches.
5.4 The Supplier will assist us with appropriate technical and organisational measures that are
necessary for us to fulfil our obligation to respond to requests concerning the exercise of the
data subject's rights relating to Personal Data under the Data Protection Laws.
5.5 If a Party receives a request concerning the use of a data subject’s rights relating to Personal
Data, the Party receiving the request must notify the other Party of the request without undue
delay after the receipt of the request if its fulfilment requires any actions from the other Party.
5.6 The Supplier may fulfil a request referred to in 5.5 above only upon our written request or
confirmation for the actions to be taken. The Supplier will comply with our further instructions
relating to fulfilment of such request. The Supplier will upon our request provide us with the
necessary documentation to confirm that the Supplier has fulfilled our request appropriately.
5.7 If the data subject’s request concerns the right of access to data, the Supplier will, upon our
request, provide us with a copy of the data subject’s Personal Data undergoing Processing.
5.8 The Supplier will assist us in ensuring compliance with the following obligations under the
GDPR as may be requested by us from time to time:
(a) notification of Personal Data Breaches to supervisory authorities and the data subjects;
(b) participating in any data protection impact assessment at request of ours; and
(c) participating in any prior consultation of the supervisory authority at the request of us.
5.9 The Supplier will make available to us, upon our request, such information that is necessary to
demonstrate compliance with the obligations laid down in the Data Protection Laws relating to
the Personal Data.

6. Data Security
6.1 The Supplier shall implement appropriate and adequate technical and organisational measures,
in line with good industry practice, to protect the Personal Data and to ensure an appropriate
and adequate level of security so that Personal Data are Processed in accordance with the
requirements set out in this DPA and the Data Protection Laws.
6.2 The Supplier must ensure that the persons Processing Personal Data have committed
themselves to confidentiality obligations both during and after the Processing or are under an
appropriate statutory obligation of confidentiality.
6.3 The Supplier will ensure that only the relevant employees have access to the Personal Data
Processed under this DPA. The Supplier will implement necessary measures to ensure that the
said persons only Process Personal Data in accordance with this DPA and our written
instructions.

Page 2 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

6.4 Subject to paragraph 4. of this DPA, the Supplier undertakes to comply with the instructions that
we may communicate in writing and any regulatory information security requirements applicable
to the Supplier’s operations.
6.5 At our written request, the Supplier will provide us with a written report on the implementation of
the aforementioned measures and instructions.
6.6 If we at any time consider that the measures implemented by the Supplier are insufficient for
ensuring the protection of Personal Data in accordance with the Personal Data Legislation, the
Supplier will implement the additional measures proposed by us and agreed between the
Parties to ensure the data security, subject to the Parties agreeing on the compensation or
division of the increased costs caused by such additional measures.

7. Transfers of Personal Data

7.1 The Supplier is not entitled to transfer Personal Data outside the EU or the EEA without our
explicit prior written consent. In case the Supplier transfers Personal Data outside the EU or the
EEA at our written request or prior written consent, we and the Supplier will agree on any
required contractual and other measures before the transfer of the Personal Data, which shall
as a minimum contain those set out in paragraph 7.3 below. The same requirement applies to
any subcontractors used by the Supplier.
7.2 The Supplier will notify us upon request of the countries in which Personal data will be
Processed (including the countries from which the Personal Data can be accessed).
7.3 Where the Supplier requests our consent pursuant to paragraph 7.1, for example, where the
Supplier or its subcontractors are located, or has its servers located, outside of the EEA, our
consent shall be subject to:
(a) the Supplier taking all steps necessary to ensure an adequate level of protection to any
Personal Data that is transferred, which may include entry into appropriate contractual
arrangements with such non-EEA recipient for the transfer of Personal Data to
applicable third countries outside the EEA as adopted and approved by the EU
Commission or competent data protection regulatory authority in accordance with
applicable Data Protection Laws (Standard Data Protection Clauses) or third party
self-certification under the EU-United States Privacy Shield Program (as may be
evolved, superseded or replaced from time to time), for which purpose, we shall grants
to the Supplier a mandate to enter into the Standard Data Protection Clauses with
approved subcontractors on behalf of us; and
(b) the Supplier working with us, as we require, and at no additional cost, to apply for and
obtain any permit, authorisation or consent that may be required under Applicable Data
Protection Law in respect of the implementation of this paragraph 7.3.
7.4 As between the Supplier and us, the Supplier shall remain liable for acts or omissions of any
third-party processor appointed by the Supplier pursuant to paragraph 7.3.
7.5 We may, at any time on not less than 30 days’ notice, revise this paragraph 3. “General” by
replacing it with any applicable controller to processor standard clauses or similar terms forming
part of an applicable certification scheme (which shall apply when replaced by attachment to
this agreement).

8. Subcontractors
8.1 The Supplier is not entitled to use subcontractors in the Processing of Personal Data without
our prior written consent (to which the provisions of paragraph 7. “Transfers of Personal Data”
shall apply where any such subcontractor is located or carries out any of its Processing
activities outside of the EEA). The Supplier shall be responsible that its subcontractors Process
the Personal Data in accordance with this DPA and the Data Protection Laws. The Supplier will
inform us of any intended changes (taking place after conclusion of this DPA) concerning the
subcontractors and will give us the opportunity to object to such changes.

Page 3 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

8.2 The Supplier is responsible for ensuring that its subcontractors Process the Personal Data in
accordance with this DPA. The Supplier must especially ensure that each subcontractor
implements all the appropriate technical and organisational measures and controls so that the
Personal Data are Processed in accordance with this DPA and the Data Protection Laws.
8.3 The Supplier will, at our written request, provide us with a written confirmation on how the
Supplier has ensured that its subcontractors comply with the aforementioned obligations.

9. Personal Data and Data Security Breaches

9.1 In the case of a Personal Data Breach, the Supplier will notify us of the Breach without undue
delay and not later than 24 hours after having become aware of it.
9.2 When notifying us of a Personal Data Breach, or immediately after such notification, the
Supplier will provide us with the following information:
(a) a description of the Personal Data Breach, including when possible the categories and
approximate number of data subjects concerned, and the categories and approximate
number of Personal Data records concerned;
(b) the contact information of the Supplier’s contact point where more information can be
obtained; and
(c) a description of the measures taken by the Supplier to address the Personal Data Breach
and the measures taken to mitigate the adverse effects of the Personal Data Breach.
9.3 The Supplier undertakes to provide us any additional information reasonably requested by us
regarding such Personal Data Breach for example for the purpose of notifying the supervisory
authority and the data subjects of the Personal Data Breach.
9.4 The Supplier will implement necessary measures to prevent or mitigate the adverse effects of a
Personal Data Breach.
9.5 The Supplier will document all Personal Data Breaches, including circumstances concerning
the Breach, and the remedial measures taken. The Supplier will provide us with the
documentation on our written request.

10. Records of Processing Activities

10.1 The Supplier must maintain a record of the Processing activities carried out on behalf of us.
The record will contain the following information (as required by the GDPR):
(a) the name and contact details of our, the Supplier and the Supplier’s contact person and
information about possible subcontractors;
(b) the categories of Processing carried out on behalf of us;
(c) information on transfers of Personal Data outside the EU or EEA, including the said third
countries; and
(d) a description of the technical and organisational safety measures implemented by the
Supplier in accordance with paragraph 5. “General Responsibilities of the Supplier” of
this DPA.
10.2 The Supplier will provide us with the record on our written request.

11. Right to Audit

11.1 The Supplier will provide us with all information reasonably requested by us to demonstrate the
Supplier’s compliance with the requirements of this DPA (including any implementation of the
appropriate technical and organisational measures).
11.2 During the term of this DPA, we or an independent third-party auditor appointed by us will have
the right to audit the Supplier’s compliance with the obligations under this DPA (including any
implementation of the appropriate technical and organisational measures).

Page 4 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

11.3 We must notify the Supplier of the audit at least 14 days in advance. The Supplier will always
allow the regulatory authority supervising our business to conduct audits targeted at our
obligations as data controller. The relevant parts of this paragraph 11. “Right to Audit” will be
applied to such audits.
11.4 The subject of the audit will be the Supplier’s documentation, processes and controls related to
information security and the Processing of Personal Data and other information necessary to
evaluate the Supplier’s compliance with this DPA. The Supplier will participate in and contribute
to the audit to the extent necessary. The Supplier will also, on our request, participate in a
supervisory authority’s audit targeted at us and provide the supervisory authority with the
required information to conduct such audit. Both us and the Supplier agree to cooperate, on
request, with the supervisory authority in the performance of its tasks.
11.5 Each Party will bear its own costs resulting from the audit and we will bear the costs for the use
of third-party auditor. If the audit reveals a material non-compliance with this DPA or Data
Protection Laws, the Supplier will cover all the costs of the audit, including the third-party
auditor’s fees.

12. Term and Termination of the Processing of Personal Data

12.1 The Supplier will Process Personal Data as long as it is necessary for the Supplier in order to
provide services to us under an addendum concluded between the Parties. The Supplier
undertakes, in accordance with our written request and without undue delay, to delete the
Personal Data or return the Personal Data to us (or to a third party appointed by us) in agreed,
generally accepted format.
12.2 The Supplier will return or delete the Personal Data upon termination of this DPA, including all
existing copies of the Personal Data in its possession, unless the Supplier is required to store
the said Personal Data under mandatory law or regulation.
12.3 The Supplier undertakes not to Process Personal Data after it has been successfully
transferred to us or a third party appointed by us, or after it has been successfully removed.
The Supplier may however continue to store and access Personal Data as provided by
paragraph 12.2 above.

13. Governing Law and Jurisdiction

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of
or in connection with it or its subject matter or formation shall be governed by and construed in
accordance with the law of [doc.GoverningRegion].
Annexures

Annex A Description of the Processing and Content of Processing

This DPA is entered into and becomes a binding part of the Principal Agreement with effect from the
date first set out above.

[doc.Controller] [doc.Processor]

Signature Signature

Name Name

Title Title

Date Signed Date Signed

Page 5 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

Page 6 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3
Annex A - Description of the Processing and Content of Processing

Background and Purpose

This Annex on description of Processing is an annex to and forms an inseparable part of the DPA and
the Principal Agreement.
The purpose of this Annex A is to supplement the DPA with a more detailed description of the type of
Personal Data provided by us to the Supplier and categories of the Data Subjects included thereto.
Unless expressly otherwise stated, the applicable definitions provided in DPA and the Principal
Agreement shall be applied to this Annex A.

Categories of data
Please specify the Personal Data [agr.CatsOfPD]
that is Processed

Categories of Data Subjects

Please specify the categories of [agr.CatsOfDS]
Data Subjects whose Personal
Data is Processed

Processing Operations
Please specify all Processing [agr.ProcOps]
activities conducted

Location of Processing
Operations
Please specify all locations where
[agr.LocOfProc]
the Personal Data is, or will be,
Processed

Identity of sub-contractors
Please provide details of all [agr.IDOfSubs]
permitted sub- contractors,
including full legal name,
registered address, location
where Processing of Personal
Data will occur, and Processing
operations

Purposes
Please specify all purposes for [agr.PurposeOfProc]
which the Personal Data is
Processed

Duration
Please specify the length of time [agr.DurationOfProc]
for which data Processing
activities will be carried out

Page 7 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3

Page 8 of 8 | Controlled Document ID:COMPLYDOCS-1910859172-3