Data processing agreement (processor-sub-processor)

The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) includes detailed rules on the content of contracts between organisations that act as processors of personal data and those that act as sub-processors. This agreement is designed to help both processors and sub-processors to comply with their obligations under the GDPR.

Note that we have a separate document for controller-processor contracts. To illustrate the different categories of actor here: a social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.

This agreement can be used alongside a services agreement; and it can be used in addition to a services agreements that was signed in the past.

The basic T&Cs in this document are very much like the terms in our controller-to-processor data processing agreement. The main distinction is that the “standard contractual clauses” are unavailable as a way of transmitting personal data to a sub-processor not in the EEA.

1. Definitions
2. Supplemental
3. Term
4. Data protection
5. Limits upon exclusions of liability
6. Termination
7. Effects of termination
8. Notices
9. General
10. Interpretation

SCHEDULE 1 (DATA PROCESSING INFORMATION)

1. Categories of data subject
2. Types of Personal Data
3. Purposes of processing
4. Security measures for Personal Data
5. Sub-processors of Personal Data

This template is supplied in Word (.doc) format and is 18 pages long, including 8 pages of guidance notes.

Ask a question

A copy of this data processing agreement (processor to sub processor) is included in the following pack:

• GDPR pack