| Author: | Alasdair Taylor |
| Updated: | 23 January 2023 |
| Length: | 7 pages |
| Notes: | 8 pages |
| Format: | MS Word (.DOC) |
This data processing addendum template provides for the transfer of personal data in a manner consistent with the General Data Protection Regulation or GDPR - in its original EU form and/or its derivative UK form. It can help both transferees and transferors to comply with their legal obligations relating to data transfers under the GDPR.
This addendum template can be used alongside a new services contract; alternatively, it can be used with respect to a previously-agreed services contract.
Article 28 of the EU GDPR and its UK offspring include detailed rules on the content of contracts between organisations that act as controllers/processors of personal data and those that act as processors/sub-processors. In preparing this data processing addendum, we have tracked the specific requirements of Article 28 of the GDPR closely. Accordingly, the addendum incorporates a limitation on the transferee acting otherwise than in accordance with the written instructions of the transferor. It also includes limitations on international transfers of personal data, a requirement that confidentiality obligations be placed upon individuals who can access the data, and security requirements.
This data processing addendum comes in two (very similar) versions. The first should be used where one party to the contract is a controller and the other is a processor with respect to data transferred under the contract; the second should be used where one party is a processor and the other is a sub-processor. Neither version is suitable for controller-to-controller transfers of personal data.
If you are unsure whether your business or organisation is a controller or processor or sub-processor, you should review the guidance on the distinction published by the UK Information Commissioner's Office (https://ico.org.uk/) and/or the European Data Protection Board (https://edpb.europa.eu/).
