This document is not legal advice, and is intended to be used as a starting point and reference. Many will choose to modify its language to fit their situation.
Published: March 2018
Article 28 of the EU’s General Data Protection Regulation requires data controllers to include in their contracts with processors certain terms and requirements. Sometimes these terms are included in the body of product and service contracts, but frequently they are added to new or existing agreements as an addendum.
Justin Weiss, Global Head of Data Privacy for the Naspers Group, is the editor of the book and lead author of the model DPA. But Justin has not worked alone. This document is the result of input from many lawyers throughout the world, including but not limited to the authors of the forthcoming book’s various chapters: Jeewon Kim Serrato (U.S.); Pablo Palazzi (Argentina); Anna Gamvros (Hong Kong); Rachel Thompson (U.S.); Merel Schwaanhuyser (Switzerland); Julia Jacobsen (U.S.); Susan Hintze (U.S.); Jared Friend (U.S); Emma Ottoy (Belgium); and Clément Legrand (Belgium).
A few practical notes about using this model agreement. First, it is not legal advice. Second, it is designed to be relatively neutral but there will be provisions that may favor controllers over processors or vice versa. It is intended to be used as a starting point and reference, but many will choose to modify its language to fit their situation. Third, the endnotes provide additional insight and guidance, but they are not intended to be included in any actual data processing agreements.