Legal
Data Processing Agreement (DPA)
Template for a data processing agreement (Auftragsverarbeitung) in accordance with Art. 28 GDPR. Customise the parties and annexes for your situation.
1. Subject and duration
This agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the services agreed in the main contract. The duration of the processing corresponds to the term of the main contract.
2. Nature and purpose of processing
The Processor processes personal data as necessary to provide the contracted services (e.g. user accounts, billing, support, API usage). The nature and scope are set out in the main contract and in Annex 1 (subject matter and duration of processing, nature and purpose, types of data, categories of data subjects).
3. Controller and Processor obligations
The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do so by Union or Member State law. The Processor shall ensure that persons authorised to process the data are bound by confidentiality. Appropriate technical and organisational measures shall be implemented (Art. 32 GDPR). The Processor shall assist the Controller in responding to data subject requests and in ensuring compliance with Articles 32 to 36 GDPR. At the end of the contract, the Processor shall delete or return personal data and delete existing copies unless retention is required by law.
4. Sub-processors
The Processor may engage sub-processors only with the prior consent of the Controller (general or specific). The same data protection obligations as in this agreement shall be imposed on sub-processors by contract. The Processor remains liable to the Controller for the performance of sub-processors' obligations.
5. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance and shall allow for and contribute to audits and inspections, in accordance with the main contract and applicable law.
This is a template. Have it reviewed by your legal counsel before use. Annex 1 (processing details) and Annex 2 (technical and organisational measures) should be completed and attached.