Free template
Data Processing Agreement (DPA)
Clearly define data handling responsibilities to ensure compliance with this Data Processing Agreement Template.
Downloaded 2898 times
Data Processing Agreement (DPA)
This Data Processing Agreement ("Agreement") is entered into on [Date], by and between:
Controller (Company): [Company Name]
Address: [Company Address]
Website: [Website URL]
and
Processor (Service Provider): [Processor Name / Company Name]
Address: [Processor Address]
1. Purpose
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the services provided under the main agreement between the Parties ("Main Agreement").
2. Definitions
"Personal Data": Any information relating to an identified or identifiable natural person.
"Processing": Any operation or set of operations performed on personal data (e.g., collection, storage, access, deletion).
"Applicable Law": All relevant data protection laws, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
3. Scope and Duration
The Processor shall process Personal Data only as necessary to perform services under the Main Agreement and for the duration of that agreement unless otherwise required by law.
4. Nature and Purpose of Processing
Subject matter: [e.g., User data, client data, HR records]
Categories of data subjects: [e.g., Website users, employees, customers]
Types of personal data: [e.g., Name, email, IP address, purchase history]
5. Processor Obligations
The Processor agrees to:
Process Personal Data only on documented instructions from the Controller
Ensure confidentiality of personnel involved
Implement appropriate technical and organizational security measures
Assist the Controller in responding to data subject requests
Notify the Controller of any data breach without undue delay
Provide records and audits upon request
6. Sub-processors
The Processor shall not engage sub-processors without prior written authorization from the Controller. A current list of authorized sub-processors shall be maintained and made available upon request.
7. Data Transfers
Processor shall not transfer Personal Data outside the EEA/UK unless such transfer is in compliance with Applicable Law and subject to appropriate safeguards (e.g., SCCs, adequacy decisions).
8. Return or Deletion of Data
Upon termination of the Main Agreement, the Processor shall, at the choice of the Controller, delete or return all Personal Data unless legal obligations require retention.
9. Liability and Indemnification
Each party shall be liable for breaches of this Agreement and shall indemnify the other party against claims resulting from non-compliance.
10. Governing Law
This Agreement shall be governed by the laws of [State/Country], and any disputes shall be resolved in the competent courts of that jurisdiction.
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written above.
Controller (Company)
Name:
Title:
Date:
Processor (Service Provider)
Name:
Title:
Date:
Details
Learn more about
Data Processing Agreement (DPA)
Data Processing Agreement (DPA) FAQ
What is a Data Processing Agreement (DPA)?
A DPA is a contract between data controllers and processors, outlining how personal data is handled securely and legally.
Why do you need a DPA?
It’s required under GDPR and similar privacy laws to clearly define data handling responsibilities and ensure compliance.
When should you use a DPA?
Use it whenever your company processes personal data on behalf of another organization.
How to write a DPA?
Clearly specify data processing activities, security measures, responsibilities of each party, compliance requirements, and penalties for breaches.
Similar templates
