Sample Data Processing Agreement

Published: March 2018Click To View (PDF)

Article 28 of the EU’s General Data Protection Regulation requires data controllers to include in their contracts with processors certain terms and requirements. Sometimes these terms are included in the body of product and service contracts, but frequently they are added to new or existing agreements as an addendum.

The IAPP published a book called “Data Processing Agreements: Coordination, Drafting, and Negotiation” which discusses many aspects of these new types of contracts. The book includes a model data processing agreement and many of the authors’ chapters discuss and refer to the model DPA. The book is available in the IAPP Store in digital format.

Justin Weiss, Global Head of Data Privacy for the Naspers Group, is the editor of the book and lead author of the model DPA. But Justin has not worked alone. This document is the result of input from many lawyers throughout the world, including but not limited to the authors of the forthcoming book’s various chapters: Jeewon Kim Serrato (U.S.); Pablo Palazzi (Argentina); Anna Gamvros (Hong Kong); Rachel Thompson (U.S.); Merel Schwaanhuyser (Switzerland); Julia Jacobsen (U.S.); Susan Hintze (U.S.); Jared Friend (U.S); Emma Ottoy (Belgium); and Clément Legrand (Belgium).

A few practical notes about using this model agreement. First, it is not legal advice. Second, it is designed to be relatively neutral but there will be provisions that may favor controllers over processors or vice versa. It is intended to be used as a starting point and reference, but many will choose to modify its language to fit their situation. Third, the endnotes provide additional insight and guidance, but they are not intended to be included in any actual data processing agreements.