Data processing agreement (processor-sub-processor)

The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) and its UK offspring include detailed rules on the content of contracts between organisations that act as processors of personal data and those that act as sub-processors. This agreement is designed to help both processors and sub-processors to comply with their obligations under the GDPR.

Note that we have a separate document for controller-processor contracts. To illustrate the different categories of actor here: a social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.

This agreement can be used alongside a services agreement; and it can be used in addition to a services agreements that was signed in the past.

The basic T&Cs in this document are very much like the terms in our controller-to-processor data processing agreement. The main distinction is that the “standard contractual clauses” are unavailable as a way of transmitting personal data to a sub-processor not in the EEA/UK.

1. Definitions
2. Supplemental
3. Term
4. Data protection
5. Limits upon exclusions of liability
6. Termination
7. Effects of termination
8. Notices
9. General
10. Interpretation

SCHEDULE 1 (DATA PROCESSING INFORMATION)

1. Categories of data subject
2. Types of Personal Data
3. Purposes of processing
4. Security measures for Personal Data
5. Sub-processors of Personal Data

Ask a question

A copy of this data processing agreement (processor to sub processor) is included in the following pack:

• GDPR pack