Data Processing Agreement

Summary

You may use this data processing agreement for the processing of personal and/or sensitive personal data of individuals between two organizations (the controller/customer and processor/vendor/supplier) in the ordinary course of business. This template includes practical guidance, drafting notes, and alternate clauses. This template covers data processing terms only and is not the entirety of the contract. You should create another contract with terms and conditions reflecting payment terms, length of the agreement, and other necessary items. Although this template uses the terms controller and processor, you can use alternate terms such as customer, business, supplier, service provider, or vendor to integrate into commercial contracts more appropriately and align with a master service agreement (MSA). In the context of service agreements, the customer or "business" will generally be a controller and the supplier, service provider, or vendor a processor. When your data processing agreement is covered by a specific law or regulation (such as the General Data Protection Regulation in the European Union (EU GDPR) or state comprehensive consumer privacy laws), look to each law to see whether there are specific contractual requirements. This template generally addresses requirements under U.S. state privacy laws. For GDPR requirements, see DPA 2018 and GDPR Compliant Data Processing Schedule (Short Form) (Pro-Processor) and DPA 2018 and GDPR Compliant Data Processing Schedule (Short-Form) (Pro-Controller). U.S. state comprehensive consumer privacy laws include requirements for contracts involving data processing with third-party vendors. These laws dictate the substance but not the form of these contracts. As such, parties can address the requirements using a data processing addendum, a separate agreement or addendum to a contract, or they could incorporate the requirements into their underlying contract or MSA. See Third-Party Vendor Data Privacy Risk Management. U.S. state privacy laws generally require the following: • Duration of processing. Contracts must include a provision designating the duration of the processing. This is usually covered in the contract's Term language or in a scope of work document. • Duty of confidentiality. Many contracts already contain confidentiality provisions, but U.S. state privacy laws require that they be incorporated into a contract to ensure that persons working for the vendor that is processing the customer's personal data protect that information. • Nature and purpose of processing. Contracts must describe the purpose of processing personal data so that vendors cannot use that data for other purposes. • Type(s) of data. Contracts must specify the type(s) of data the vendor will process (e.g., contact information, biometric or geolocation data, or sensitive personal information), which usually also includes the type of data subjects (e.g., the business's customers or employees). • Instructions for processing. Contracts must include instructions for processing, which should require that the processing abide by applicable data privacy laws. • Rights and obligations of parties. Contracts must explicitly lay out who is the controller (usually the customer) and who is the processor (usually the vendor/supplier) with respect to the processing of personal data. Most U.S. data privacy laws provide that determining whether a party is acting as a controller or processor is a fact-based determination that depends upon the context in which personal data is to be processed. This section would also be a place to note that the controller has sole responsibility for the accuracy, quality, and legality of the personal data and the means by which it acquired such data. • Requirement to demonstrate compliance with law. Contracts must require vendors to make available to the controller, upon the controller's reasonable request, all information in its possession necessary to demonstrate compliance with its legal obligations. • Subprocessor requirements. Contracts must contain provisions that require vendors to engage any subcontractor only when they have in place a written contract that requires the subcontractor to meet the same obligations of the processor with respect to the personal data. • Deletion or return of personal information to controller upon request or termination. U.S. state privacy laws also require that, at the controller's direction, the vendor delete or return all personal data to the controller as requested at the end of the provision of services unless retaining the personal data is required by law. • Obligation to assist controller with complying with law. Contracts must include provisions that require vendors to allow and cooperate with reasonable assessments by the controller or the controller's designated assessor. In the alternative, most states allow the vendor to arrange for a qualified and independent assessor to assess its policies and technical and organizational measures in support of the obligations using an appropriate and accepted control standard or framework and assessment procedure. The vendor must then provide a report of that assessment to the controller upon request. Although state law requirements are generally similar, there are some minor differences. California sets forth additional contract requirements, depending on the nature of the vendor and its relationship to the customer/business. See 11 CCR 7051(a), (b); Cal. Civ. Code § 1798.100(d)(1)–(5). For more on specific contract requirements under each state's comprehensive consumer privacy law, see Personal Data Processing Agreement Requirements. For specific data security requirements for consumer personal data, see the Data Security Requirements topic in the Data Security & Privacy State Law Comparison Tool and Data Security Requirements State Law Survey. For EU GDPR data security requirements, see Data Protection and Outsourcing under the General Data Protection Regulation (GDPR). For more on vendor management, see Third-Party Vendor Data Privacy Risk Management and Mitigating Your Greatest Data Privacy Risk: How to Establish an Effective Vendor Management Process.