Data processing addendum (controller-processor)

Consider this template data processing addendum if you need to bring an existing contract into line with the General Data Protection Regulation (GDPR).

This document should however only be used where one party to the contract is a controller and the other is a processor with respect to data transferred under the contract. It should not be used for processor-to-processor or controller-to-controller transfers.

In preparing this addendum, we have tracked the specific requirements of Article 28 of the GDPR closely. Accordingly, the addendum incorporates a limitation on the processor acting otherwise than in accordance with the written instructions of the controller. It also includes limitations on international transfers of personal data, a requirement that confidentiality obligations be placed upon people who can access the data and security requirements.

ADDENDUM

1. Definitions
2. This Addendum and the Agreement
3. Data protection
4. Surviving provisions

SCHEDULE 1 (DATA PROCESSING INFORMATION)

1. Categories of data subject
2. Types of Personal Data
3. Purposes of processing
4. Security measures for Personal Data
5. Sub-processors of Personal Data

SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)

Ask a question

A copy of this data processing addendum (controller to processor) is included in the following pack:

• GDPR pack