GDPR Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT (GDPR COMPLIANT) This Data Processing Agreement ("DPA") is entered into on [DATE] between [CONTROLLER_NAME] ("Controller") and [PROCESSOR_NAME] ("Processor"). WHEREAS the Controller and Processor enter into a contract requiring the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR). 1. Subject Matter and Duration. The Processor shall process personal data on behalf of the Controller in relation to [DESCRIPTION_OF_PROCESSING]. This DPA shall apply for the duration of the underlying contract. 2. Nature and Purpose of Processing. The Processor shall process personal data of the following categories: [CATEGORIES_OF_DATA_SUBJECTS]. The personal data shall include the following categories: [CATEGORIES_OF_PERSONAL_DATA]. Processing shall be limited to the following purposes: [PURPOSES]. 3. Types of Personal Data. Personal data shall be limited to: [SPECIFY: names, email addresses, IP addresses, etc.]. 4. Data Protection Obligations. The Processor shall: - Process personal data only on documented instructions from the Controller - Ensure that persons authorized to process personal data are bound by confidentiality - Implement appropriate technical and organizational measures to ensure security - Not transfer personal data outside the EEA without prior authorization - Assist the Controller in fulfilling data subject rights requests - Delete or return personal data upon termination 5. Sub-processors. The Processor shall not engage sub-processors without prior specific or general written authorization from the Controller. The Processor shall inform the Controller of any intended changes regarding sub-processors. 6. Data Subject Rights. Upon request from the Controller, the Processor shall assist in fulfilling the rights of data subjects, including access, rectification, erasure, and data portability requests. 7. International Transfers. If data is transferred outside the EEA, the Processor shall implement Standard Contractual Clauses or other lawful mechanisms approved by the European Commission. 8. Deletion or Return of Data. Upon termination of this DPA, the Processor shall delete all personal data or return it to the Controller as instructed. [CONTROLLER_NAME] By: ______________________ [PROCESSOR_NAME] By: ______________________