Consider this template data processing addendum if you need to bring an existing contract into line with the General Data Protection Regulation (GDPR).
This document should however only be used where one party to the contract is a controller and the other is a processor with respect to data transferred under the contract. It should not be used for processor-to-processor or controller-to-controller transfers.
In preparing this addendum, we have tracked the specific requirements of Article 28 of the GDPR closely. Accordingly, the addendum incorporates a limitation on the processor acting otherwise than in accordance with the written instructions of the controller. It also includes limitations on international transfers of personal data, a requirement that confidentiality obligations be placed upon people who can access the data and security requirements.