Data Processing

Agreement
Free template

You can use the template in basic .PDF form or create your free Contractbook account to
craft interactive, reusable templates! It saves a lot of time!

�� Use in-app template or scroll down to access traditional template ↓

Data Processing Agreement

Contents

1. Data Processing Agreement preamble

2. The rights and obligations of the Data Controller
3. The Data Processor acts according to instructions
4. Confidentiality
5. Security of processing
6. Use of Sub-Processors
7. Transfer of data to third countries or international organisations
8. Assistance to the Data Controller
9. Notification of personal data breach
10. Erasure and return of data
11. Inspection and audit
12. The Parties’ agreement on other terms
13. Commencement and termination
14. Data Controller and Data Processor contacts/contact points

A. Information about the processing

B. Terms of the Data Processor’s use of Sub-processors and list of approved Sub-processors

C. Instruction pertaining to the use of personal data

D. The Parties’ terms of the agreement on other subjects

1. Data Processing Agreement preamble

1. This Data Processing Agreement sets out the rights and obligations that apply to the Data
Processor’s handling of personal data on behalf of the Data Controller.

2. This Agreement has been designed to ensure the Parties’ compliance with Article 28, sub
section 3 of Regulation 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of natural persons with regard to the processing of personal data and on
the free movement of such data and repealing Directive 95/46/EC (General Data Protection
Regulation), which sets out specific requirements for the content of data processing
agreements.

3. The Data Processor’s processing of personal data shall take place for the purposes of
fulfilment of the Parties’ ‘Master Agreement’. [Name of master agreement/service] commencing
on [date].

4. The Data Processing Agreement and the ‘Master Agreement’ shall be interdependent and
cannot be terminated separately. The Data Processing Agreement may, however – without
termination of the ‘Master Agreement’ – be replaced by an alternative valid data processing
agreement.

5. This Data Processing Agreement shall take priority over any similar provisions contained in
other agreements between the Parties, including the ‘Master Agreement’.
6. Four appendices are attached to this Data Processing Agreement. The Appendices form an
integral part of this Data Processing Agreement.

7. Appendix A of the Data Processing Agreement contains details about the processing as well
as the purpose and nature of the processing, type of personal data, categories of data subject
and duration of the processing.

8. Appendix B of the Data Processing Agreement contains the Data Controller’s terms and
conditions that apply to the Data Processor’s use of Sub-Processors and a list of Sub
Processors approved by the Data Controller.
9. Appendix C of the Data Processing Agreement contains instructions on the processing that
the Data Processor is to perform on behalf of the Data Controller (the subject of the
processing), the minimum security measures that are to be implemented and how inspection
with the Data Processor and any Sub-Processors is to be performed.

10. Appendix D of the Data Processing Agreement contains the Parties’ provisions for activities
that are not contained in this Data Processing Agreement or the Parties’ ‘Master Agreement’.

11. The Data Processing Agreement and its associated Appendices shall be retained in writing
as well as electronically by both Parties.

12. This Data Processing Agreement shall not exempt the Data Processor from obligations to
which the Data Processor is subject pursuant to the General Data Protection Regulation or
other legislation.

2. The rights and obligations of the Data Controller

1. The Data Controller shall be responsible to the outside world (including the data subject) for
ensuring that the processing of personal data takes place within the framework of the General
Data Protection Regulation and the Danish Data Protection Act.

2. The Data Controller shall, therefore, have both the right and obligation to make decisions
about the purposes and means of the processing of personal data.

3. The Data Controller shall be responsible for ensuring that the processing that the Data
Processor is instructed to perform is authorised in law.

3. The Data Processor acts according to instructions

1. The Data Processor shall solely be permitted to process personal data on documented
instructions from the Data Controller unless processing is required under EU or Member
State law to which the Data Processor is subject; in this case, the Data Processor shall
inform the Data Controller of this legal requirement prior to processing unless that law
prohibits such information on important grounds of public interest, cf. Article 28, sub-section 3,
para a.

2. The Data Processor shall immediately inform the Data Controller if instructions in the
opinion of the Data Processor contravene the General Data Protection Regulation or data
protection provisions contained in other EU or Member State law.

4. Confidentiality

1. The Data Processor shall ensure that only those persons who are currently authorised to do
so are able to access the personal data being processed on behalf of the Data Controller.
Access to the data shall therefore without delay be denied if such authorisation is removed or
expires.

2. Only persons who require access to the personal data in order to fulfil the obligations of the
Data Processor to the Data Controller shall be provided with authorisation.

3. The Data Processor shall ensure that persons authorised to process personal data on
behalf of the Data Controller have undertaken to observe confidentiality or are subject to a
suitable statutory obligation of confidentiality.

4. The Data Processor shall at the request of the Data Controller be able to demonstrate that
the employees concerned are subject to the above confidentiality.

5. Security of processing

1. The Data Processor shall take all the measures required pursuant to Article 32 of the General
Data Protection Regulation, which stipulates that with consideration for the current level,
implementation costs and the nature, scope, context and purposes of processing and the risk of
varying likelihood and severity for the rights and freedoms of natural persons, the Data
Controller and Processor shall implement appropriate technical and organisational measures to
ensure a level of security appropriate to the risk.
2. The above obligation means that the Data Processor shall perform a risk assessment and
thereafter implement measures to counter the identified risk. Depending on their relevance, the
measures may include the following:

a. Pseudonymisation and encryption of personal data

b. The ability to ensure ongoing confidentiality, integrity, availability and resilience of

processing systems and services.

c. The ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident.

d. A process for regularly testing, assessing and evaluating the effectiveness of technical
and organisational measures for ensuring the security of the processing.

3. The Data Processor shall in ensuring the above – in all cases – at a minimum implement the
level of security and the measures specified in Appendix C to this Data Processing Agreement.

4. The Parties’ possible regulation/agreement on remuneration etc. for the Data Controller’s or
the Data Processor’s subsequent requirement for establishing additional security measures
shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D to this Data Processing
Agreement.

6. Use of Sub-Processors

1. The Data Processor shall meet the requirements specified in Article 28, sub-section 2 and 4,
of the General Data Protection Regulation in order to engage another processor (Sub
Processor).

2. The Data Processor shall therefore not engage another processor (Sub-Processor) for the
fulfilment of this Data Processing Agreement without the prior specific or general written
consent of the Data Controller.
3. In the event of general written consent, the Data Processor shall inform the Data Controller
of any planned changes with regard to additions to or replacement of other data processors
and thereby give the Data Controller the opportunity to object to such changes.

4. The Data Controller’s requirements for the Data Processor’s engagement of other Sub
processors shall be specified in Appendix B to this Data Processing Agreement.

5. The Data Controller’s consent to the engagement of specific Sub-processors, if applicable,

shall be specified in Appendix B to this Data Processing Agreement.

6. When the Data Processor has the Data Controller’s authorisation to use a Sub-processor, the
Data Processor shall ensure that the Sub-Processor is subject to the same data protection
obligations as those specified in this Data Processing Agreement on the basis of a contract or
other legal document under EU law or the national law of the Member States, in particular
providing the necessary guarantees that the Sub-Processor will implement the appropriate
technical and organisational measures in such a way that the processing meets the
requirements of the General Data Protection Regulation.

The Data Processor shall, therefore, be responsible – on the basis of a sub-processor

agreement – for requiring that the Sub-processor at least comply with the obligations to which
the Data Processor is subject pursuant to the requirements of the General Data Protection
Regulation and this Data Processing Agreement and its associated Appendices.

7. A copy of such a sub-processor agreement and subsequent amendments shall – at the Data
Controller’s request – be submitted to the Data Controller who will thereby have the opportunity
to ensure that a valid agreement has been entered into between the Data Processor and the
Sub-Processor. Commercial terms and conditions, such as pricing, that do not affect the legal
data protection content of the sub-processor agreement, shall not require submission to the
Data Controller.

8. The Data Processor shall in his agreement with the Sub-Processor include the Data
Controller as a third party in the event of the bankruptcy of the Data Processor to enable the
Data Controller to assume the Data Processor’s rights and invoke these as regards the Sub
Processor, e.g. so that the Data Controller is able to instruct the Sub-Processor to perform the
erasure or return of data.
9. If the Sub-Processor does not fulfil his data protection obligations, the Data Processor shall
remain fully liable to the Data Controller as regards the fulfilment of the obligations of the Sub-
Processor.

7. Transfer of data to third countries or international organisations

1. The Data Processor shall solely be permitted to process personal data on documented
instructions from the Data Controller, including as regards transfer (assignment, disclosure
and internal use) of personal data to third countries or international organisations, unless
processing is required under EU or Member State law to which the Data Processor is subject;
in such a case, the Data Processor shall inform the Data Controller of that legal requirement
prior to processing unless that law prohibits such information on important grounds of public
interest, cf. Article 28, sub-section 3, para a.

2. Without the instructions or approval of the Data Controller, the Data Processor, therefore,
cannot – within the framework of this Data Processing Agreement:

a. disclose personal data to a data controller in a third country or in an international

organisation

b. assign the processing of personal data to a Sub-processor in a third country

c. have the data processed in another of the Data Processor’s divisions which is located in a
third country

3. The Data Controller’s instructions or approval of the transfer of personal data to a third
country, if applicable, shall be set out in Appendix C to this Data Processing Agreement.

8. Assistance to the Data Controller

1. The Data Processor, taking into account the nature of the processing, shall, as far as
possible, assist the Data Controller with appropriate technical and organisational measures, in
the fulfilment of the Data Controller’s obligations to respond to requests for the exercise of the
data subjects’ rights pursuant to Chapter 3 of the General Data Protection Regulation.

This entails that the Data Processor should as far as possible assist the Data Controller in the
Data Controller’s compliance with:
 a. notification obligation when collecting personal data from the data subject b.

notification obligation if personal data have not been obtained from the data subject c.

right of access by the data subject

d. the right to rectification

e. the right to erasure (‘the right to be forgotten’)

f. the right to restrict processing

g. notification obligation regarding rectification or erasure of personal data or restriction of

processing

h. the right to data portability

i. the right to object

j. the right to object to the result of automated individual decision-making, including profiling

1. The Data Processor shall assist the Data Controller in ensuring compliance with the Data
Controller’s obligations pursuant to Articles 32-36 of the General Data Protection Regulation
taking into account the nature of the processing and the data made available to the Data
Processor, cf. Article 28, sub-section 3, para f.

This entails that the Data Processor should, taking into account the nature of the processing,
as far as possible assist the Data Controller in the Data Controller’s compliance with:
a. the obligation to implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk associated with the processing

b. the obligation to report personal data breaches to the supervisory authority (Danish Data
Protection Agency) without undue delay and, where feasible, not later than 72 hours of the Data
Controller discovering such breach unless the personal data breach is unlikely to result in a risk
to the rights and freedoms of natural persons

c. the obligation – without undue delay - to communicate the personal data breach to the data
subject when such breach is likely to result in a high risk to the rights and freedoms of natural
persons
d. the obligation to carry out a data protection impact assessment if a type of processing is
likely to result in a high risk to the rights and freedoms of natural persons

e. the obligation to consult with the supervisory authority (Danish Data Protection Agency) prior
to processing if a data protection impact assessment shows that the processing will lead to high
risk in the lack of measures taken by the Data Controller to limit the risk

2. The Parties’ possible regulation/agreement on remuneration etc. for the Data Processor’s
assistance to the Data Controller shall be specified in the Parties’ ‘Master Agreement’ or in
Appendix D to this Data Processing Agreement.

9. Notification of personal data breach

1. On discovery of personal data breach at the Data Processor’s facilities or a Sub-processor’s

facilities, the Data Processor shall without undue delay notify the Data Controller.

The Data Processor’s notification to the Data Controller shall, if possible, take place within
[number of hours] after the Data Processor has discovered the breach to enable the Data
Controller to comply with his obligation, if applicable, to report the breach to the supervisory
authority within 72 hours.
2. According to Clause 9.2., para b, of this Data Processing Agreement, the Data Processor
shall – taking into account the nature of the processing and the data available – assist the Data
Controller in the reporting of the breach to the supervisory authority.

This may mean that the Data Processor is required to assist in obtaining the information listed
below which, pursuant to Article 33, sub-section 3, of the General Data Protection Regulation,
shall be stated in the Data Controller’s report to the supervisory authority:

a. The nature of the personal data breach, including, if possible, the categories and the
approximate number of affected data subjects and the categories and the approximate number
of affected personal data records

b. Probable consequences of a personal data breach

c. Measures which have been taken or are proposed to manage the personal data breach,
including, if applicable, measures to limit its possible damage

10. Erasure and return of data

1. On termination of the processing services, the Data Processor shall be under obligation, at
the Data Controller’s discretion, to erase or return all the personal data to the Data Controller
and to erase existing copies unless EU law or Member State law requires storage of the personal
data.

11. Inspection and audit

1. The Data Processor shall make available to the Data Controller all information necessary to
demonstrate compliance with Article 28 of the General Data Protection Regulation and this
Data Processing Agreement, and allow for and contribute to audits, including inspections
performed by the Data Controller or another auditor mandated by the Data Controller.
2. The procedures applicable to the Data Controller’s inspection of the Data Processor are
specified in Appendix C to this Data Processing Agreement.

3. The Data Controller’s inspection of Sub-processors, if applicable, shall, as a rule, be

performed through the Data Processor. The procedures for such inspection are specified in
Appendix C to this Data Processing Agreement.

4. The Data Processor shall be required to provide the supervisory authorities, which pursuant
to applicable legislation have access to the Data Controller’s and Data Processor’s facilities, or
representatives acting on behalf of such supervisory authorities, with access to the Data
Processor’s physical facilities on presentation of appropriate identification.

12. The Parties’ agreement on other terms

1. (Separate) terms relating to the consequences of the Parties’ breach of this Data Processing
Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’ or in Appendix D
to this Data Processing Agreement.

2. Regulation of other terms between the Parties shall be specified in the Parties’ ‘Master
Agreement’ or in Appendix D to this Data Processing Agreement.
13. Commencement and termination

1. This Data Processing Agreement shall become effective on the date of both Parties’
signature to the Agreement.

2. Both Parties shall be entitled to require this Data Processing Agreement renegotiated if
changes to the law or inexpediency of the provisions contained herein should give rise to such
renegotiation.

3. The Parties’ agreement on remuneration, terms etc. in connection with amendments to this
Data Processing Agreement, if applicable, shall be specified in the Parties’ ‘Master Agreement’
or in Appendix D to this Data Processing Agreement.
4. This Data Processing Agreement may be terminated according to the terms and conditions
of termination, incl. notice of termination, specified in the ‘Master Agreement’.

5. This Data Processing Agreement shall apply as long as the processing is performed.
Irrespective of the termination of the ‘Master Agreement’ and/or this Data Processing
Agreement, the Data Processing Agreement shall remain in force until the termination of the
processing and the erasure of the data by the Data Processor and any Sub-processors.

6. Signature

14. Data Controller and Data Processor contacts/contact points 1.

The Parties may contact each other using the following contacts/contact points:

2. The Parties shall be under obligation continuously to inform each other of changes to
contacts/contact points.

Name: [State name]

 Position: [State position]

Telephone number: [State telephone number]

E-mail: [State e-mail]

Name: [State name]

Position: [State position]

Telephone number: [State telephone number]

E-mail: [State e-mail]

A. Information about the processing

The purpose of the Data Processor’s processing of personal data on behalf of the Data
Controller is:

[describe the purpose of the processing].

For example:

“that the Data Controller is able to use system X which is owned and managed by the Data
Processor to collect and process data about the Data Controller’s members.”

The Data Processor’s processing of personal data on behalf of the Data Controller shall
mainly pertain to (the nature of the processing):
[describe the nature of the processing].

For example:

“that the Data Processor makes available system X to the Data Controller and hereby stores
personal data about the Data Controller’s members on the company servers.”

The processing includes the following types of personal data about data subjects:

[describe the type of personal data being processed].

For example:

“Name, e-mail address, telephone number, address, national identification number, payment
details, membership number, type of membership, attendance at fitness centre and registration
for specific fitness classes.”

Processing includes the following categories of data subject:

[describe category of data subject]

For example:

“Persons who have or have purchased a membership from the Data Controller.”

The Data Processor’s processing of personal data on behalf of the Data Controller may be
performed when this Data Processing Agreement commences. Processing has the following
duration:

[describe the duration of the processing]

For example:

“Processing shall not be time-limited and shall be performed until this Data Processing
Agreement is terminated or cancelled by one of the Parties.”
B. Terms of the Data Processor’s use of Sub-processors and list of approved Sub
processors

b.1. Terms of the Data Processor’s use of Sub-processors, if applicable [Describe the
terms and conditions for the Data Processor’s use of Sub-Processors].

For example:

“The Data Processor shall solely engage Sub-processors with the prior explicit written
agreement of the Data Controller. The Data Processor’s request for such engagement shall be
submitted to the Data Controller a minimum of [number of months] prior to the engagement of
Sub-processors or amendments coming into force. The Data Controller shall solely refuse
consent if the Data Controller has reasonable and specific grounds for such refusal.”

or

“The Data Processor has the Data Controller’s general consent for the engagement of Sub
processors. The Data Processor shall, however, inform the Data Controller of any planned
changes with regard to additions to or replacement of other data processors and thereby give
the Data Controller the opportunity to object to such changes. Such notification shall be
submitted to the Data Controller a minimum of [number of months] prior to the engagement of
Sub-processors or amendments coming into force. If the Data Controller should object to the
changes, the Data Controller shall notify the Data Processor of this within [state time period] of
receipt of the notification. The Data Controller shall only object if the Data Controller has
reasonable and specific grounds for such refusal.”

or

“The Data Processor shall not make use of Sub-processors.”

b.2. Approved Sub-processors

The Data Controller shall on commencement of this Data Processing Agreement approve the
engagement of the following Sub-processors:

Name CVR no. Address Description of processing

[Name] [CVR no.] [Address] [General description of processing by Sub-Processor]

[Name] [CVR no.] [Address] [General description of processing by Sub-Processor]

 [Name] [CVR no.] [Address] [General description of processing by Sub-Processor]

[Name] [CVR no.] [Address] [General description of processing by Sub-Processor]

The Data Controller shall on the commencement of this Data Processing Agreement
specifically approve the use of the above Sub-processors for the processing described for that
party. The Data Processor shall not be entitled – without the Data Controller’s explicit written
consent – to engage a Sub-processor for ‘different’ processing than the one that has been
agreed or have another Sub-processor perform the described processing.

C. Instruction pertaining to the use of personal data

c.1. The subject of/instruction for the processing

The Data Processor’s processing of personal data on behalf of the Data Controller shall be
carried out by the Data Processor performing the following:

[Describe the processing that the Data Processor has been instructed to perform or refer
to specific clauses of the ‘Master Agreement’, if applicable].

c.2. Security of processing

The level of security shall reflect:

[Describe elements that are essential to the level of security]

For example:
“That the processing involves a large volume of personal data which are subject to Article 9 of
the General Data Protection Regulation on ‘special categories of personal data’ which is why a
‘high’ level of security should be established.”

The Data Processor shall hereafter be entitled and under obligation to make decisions about
the technical and organisational security measures that are to be applied to create the
necessary (and agreed) level of data security.

The Data Processor shall, however – in any event and at a minimum – implement the following
measures that have been agreed with the Data Controller (on the basis of the risk assessment
that the Data Controller has performed):

[Describe requirements for pseudonymisation and encryption of personal data]

[Describe requirements for ensuring ongoing confidentiality, integrity, availability and
resilience of processing systems and services]
[Describe requirements for the ability to restore the availability and access to personal data
in a timely manner in the event of a physical or technical incident]
[Describe requirements for processes for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring the security of the
processing]
[Describe requirements for access to data online]
[Describe requirements for the protection of data during transmission]
[Describe requirements for the protection of data during storage]
[Describe requirements for physical security of locations at which personal data are
processed]
[Describe requirements for the use of home/remote working]
[Describe requirements for logging]

c.3. Storage period/erasure procedures

[State storage period/erasure procedures for the Data Processor, if applicable]

For example:

“Personal data are stored for [state time period or incident] after which they are erased by the
Data Processor.”

or
“Personal data are stored with the Data Processor until the Data Controller requests that the
data are erased or returned.”

c.4. Processing location

Processing of the personal data under this Data Processing Agreement cannot be performed
at other locations than the following without the Data Controller’s prior written consent:
 [State where processing takes place] [State the data processor or sub-processor using the
address]
[State where processing takes place] [State the data processor or sub-processor using the
address]

c.5. Instruction for or approval of the transfer of personal data to third countries [Describe

an instruction for or approval of the transfer of personal data to a third country]

[State the legal basis for transfer pursuant to Chapter 5 of the General Data Protection
Regulation]

If the Data Controller does not in this clause or by subsequent written notification provide
instructions or consent pertaining to the transfer of personal data to a third country, the Data
Processor shall not be entitled within the framework of this Data Processing Agreement to
perform such transfer.

c.6. Procedures for the Data Controller’s inspection of the processing being performed by
the Data Processor

[Describe procedures for the Data Controller's inspection of processing with the Data
Processor, if applicable]

For example:

“The Data Processor shall once [state time period] at [the Data Processor’s/the Data
Controller’s] expense obtain an inspection report from an independent third party with regards
to the Data Processor's compliance with this Data Processing Agreement and its associated
Appendices.
The Parties have agreed that the following types of inspection report may be used: [insert
‘approved’ inspection reports]

The inspection report shall without delay be submitted to the Data Controller for information
purposes.

The Data Controller or the Data Controller’s representative shall, in addition, have access to
inspecting, including physically inspecting, the processing at the Data Processor’s facilities
when the Data Controller deems that this is required.”

or
“The Data Controller or the Data Controller’s representative shall perform [state time period] a
physical inspection with regards to the compliance of this Data Processing Agreement at the
Data Processor’s facilities.

In addition to the planned inspection, the Data Controller shall be entitled to inspect the Data
Processor when the Data Controller deems that this is required.”

and, if applicable,

“The Data Controller’s costs, if applicable, relating to physical inspection shall be defrayed by
the Data Controller. The Data Processor shall, however, be under obligation to set aside the
resources (mainly time) required for the Data Controller to be able to perform the inspection.”

c.7. Procedures for the inspection of the processing being performed by Sub-processors, if
applicable

[Describe procedures for the Data Controller's inspection of processing with the Sub
Processor, if applicable]

For example:

“The Data Processor shall once [state time period] at [the Data Processor’s/the Data
Controller’s] expense obtain an inspection report from an independent third party with regards
to the Sub-Processor's compliance with this Data Processing Agreement and its associated
Appendices.

The Parties have agreed that the following types of inspection report may be used: [insert
‘approved’ inspection reports]The inspection report shall without delay be submitted to the
Data Controller for information.

The Data Processor or the Data Processor’s representative shall, in addition, have access to
inspecting, including physically inspecting, the processing at the Sub-Processor’s facilities
when the Data Processor (or the Data Controller) deems that this is required.”

Documentation for such inspections shall without delay be submitted to the Data Controller for
information.”

or

“The Data Processor or the Data Processor’s representative shall perform [state time period] a
physical inspection with regards to the compliance of this Data Processing Agreement at the
Sub-Processor’s facilities.
In addition to the planned inspection, the Data Processor shall be entitled to inspect the Sub
Processor when the Data Processor (or the Data Controller) deems that this is required.”

Documentation for such inspections shall without delay be submitted to the Data Controller for
information.”

and, if applicable,

“The Data Controller may – if required – elect to initiate and participate in a physical inspection at
the Sub-Processor’s facilities. This may apply if the Data Controller deems that the Data
Processor’s supervision of the Sub-Processor has not provided the Data Controller with
sufficient documentation to prove that the processing by the Sub-Processor is being performed
according to this Data Processing Agreement.

The Data Controller’s participation in an inspection at the Sub-Processor’s facilities shall not
alter the fact that the Data Processor hereafter continues to bear the full responsibility for the
Sub-Processor’s compliance with data protection legislation and this Data Processing
Agreement.”

and, if applicable,

“The Data Processor’s and the Sub-Processor’s costs related to physical

supervision/inspection at the Sub-Processor’s facilities shall not concern the Data Controller –
irrespective of whether the Data Controller has initiated and participated in such inspection.”
D. The Parties’ terms of the agreement on other subjects

d.1. [Heading]
d.2. [Heading]
d.3. [Heading]
d.4. [Heading]