Data Processing Agreement Template – Free Download 2026

This Data Processing Agreement ("DPA") is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national data protection laws implementing the GDPR, by and between the controller identified on the signature page ("Controller") and the processor identified on the signature page ("Processor"), collectively the "Parties." This DPA forms part of, and is incorporated by reference into, the underlying services agreement between the Parties (the "Services Agreement"). In the event of any conflict between this DPA and the Services Agreement, the terms of this DPA shall prevail with respect to data protection matters.

The following definitions apply throughout this DPA: "Personal Data" has the meaning given in Article 4(1) GDPR; "Data Subject" means the identified or identifiable natural person to whom Personal Data relates; "Processing" has the meaning given in Article 4(2) GDPR; "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data; "Supervisory Authority" means the competent data protection authority in the Controller's Member State of establishment; and "Standard Contractual Clauses" means the clauses approved by the European Commission for the transfer of Personal Data to third countries, as may be updated from time to time.

The subject matter, duration, nature, and purpose of the Processing, the type of Personal Data Processed, and the categories of Data Subjects are set forth in Annex I to this DPA. The Processor shall Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of the legal requirement prior to Processing, unless prohibited from doing so on grounds of public interest. Processing shall be limited to the minimum amount of Personal Data necessary to perform the Services described in the Services Agreement.

The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing, as set forth in Annex II to this DPA, including as appropriate: (a) pseudonymization and encryption of Personal Data; (b) the ability to ensure ongoing confidentiality, integrity, availability, and resilience of Processing systems and services; (c) the ability to restore availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational security measures.

The Processor shall ensure that any natural person acting under the Processor's authority who has access to Personal Data Processes it only on instructions from the Controller, and shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality. The Processor shall not engage any sub-processor without the prior specific or general written authorization of the Controller. A list of approved sub-processors is set forth in Annex III. The Processor shall notify the Controller of any intended changes to sub-processors with sufficient advance notice to allow the Controller to object prior to the change taking effect.

Where a sub-processor is engaged, the Processor shall impose on the sub-processor data protection obligations equivalent to those set out in this DPA by way of a binding contract. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations to the extent the sub-processor fails to fulfill its data protection obligations. The Processor shall cooperate fully with the Controller in responding to inquiries from Supervisory Authorities and shall make available all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.

The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including the rights of access, rectification, erasure, restriction, data portability, and objection. Upon receipt of a Data Subject request addressed to the Processor, the Processor shall promptly forward such request to the Controller and shall not respond to the Data Subject directly except on documented instructions from the Controller.

In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and, where feasible, no later than forty-eight (48) hours after becoming aware of the breach. Such notification shall include: (a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the data protection officer or other contact point; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach. The Processor shall document all Personal Data Breaches, including those not reported to the Supervisory Authority.

The Processor shall not transfer Personal Data to a country or international organization outside the European Economic Area (EEA) unless: (a) the European Commission has issued an adequacy decision for the recipient country pursuant to Article 45 GDPR; (b) appropriate safeguards are in place pursuant to Article 46 GDPR, including Standard Contractual Clauses; (c) the transfer falls within a derogation under Article 49 GDPR; or (d) the Controller has provided specific prior written authorization for the transfer. Where Standard Contractual Clauses are used for international transfers, they are incorporated by reference and form part of this DPA.

The Processor shall inform the Controller of the countries in which it and any approved sub-processors intend to Process Personal Data. The Processor shall cooperate with the Controller in conducting transfer impact assessments where required under applicable law, including assessments of the laws and practices of the recipient country that may affect the level of protection afforded to Personal Data. Where a transfer impact assessment reveals that a transfer cannot be made with equivalent protection to that afforded in the EEA, the Processor shall implement any supplementary measures identified as necessary to bring the transfer into compliance with applicable law.

This DPA shall commence on the effective date of the Services Agreement and shall continue in effect for so long as the Processor Processes Personal Data on behalf of the Controller. Upon termination or expiration of the Services Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data and existing copies thereof, unless applicable law requires storage of the Personal Data. The Processor shall certify its compliance with this deletion or return obligation in writing to the Controller within thirty (30) days following the termination of Processing activities.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or by an independent auditor mandated by the Controller. The Controller shall provide the Processor with at least thirty (30) days' advance written notice of any audit and shall conduct audits no more than once per calendar year unless a Personal Data Breach or regulatory investigation justifies more frequent review. Each Party's aggregate liability under this DPA shall be subject to the limitations and exclusions set forth in the Services Agreement, except with respect to obligations under applicable mandatory data protection law.