SlideShare a Scribd company logo

Data processing agreement

Isaure de Villenfagne, profile picture
Isaure de Villenfagne

This document provides a model data processing agreement in compliance with GDPR, outlining the roles and responsibilities of the data processor and data controller. It includes sections on definitions, obligations regarding data processing, confidentiality, liability, and applicable law, as well as specific schedules for service description and security measures. The agreement is intended for legal training purposes and may be reused or modified for internal business use but not for commercial sale.

Law
Related topics:
Data Protection Practices
1 of 9
Downloaded 83 times
1
2
3
4
5
6
7
8
9
Erkelens Law – Rue des chevaliers 24 – 1050 Brussels – www.erkelenslaw.com Johan Vandendriessche Partner | Erkelens Law Visiting Professor ICT Law | UGent Visiting Professor ICT and Data Protection Law | HoWest Johan.vandendriessche@erkelenslaw.com Isaure de Villenfagne Attorney-at-Law | Erkelens Law Isaure.de.villenfagne@erkelenslaw.com Model Data Processing Agreement (GDPR) This model data processing agreement is provided as a basis for creating a GDPR compliant data processing agreement. The model agreement includes all elements required by article 28 of the GDPR. It should be noted that a compliant agreement cannot be achieved without completing the schedules. This model data processing agreement is made available in the context of legal training. It does not constitute legal advice. You may re-use, modify and adapt this document free of charge in any format or medium for your internal business purposes (commercial or otherwise) and disclose the derivative work to third parties within the context of your own internal business purposes. You have no right to sell, license or publish this document, but you may provide a copy of this document to third parties in unmodified form.
Page 1 Data Processing Agreement Between: [Name + legal form], a company incorporated under Belgian law, with registered offices at [xxx], company number [xxx] Represented by [Representative], [title] Hereafter “Data Processor”; And : [Name + legal form], a company incorporated under Belgian law, with registered offices at [xxx], company number [xxx] Represented by [Representative], [title] Hereafter “Data Controller”; The Data Controller and the Data Processor may be referred to individually as a “Party” and collectively as the “Parties”. WHEREAS (A) The Data Controller [Please describe the data controller]. (B) The Data Controller wishes to subcontract certain Services (as defined below), which imply the processing of personal data, to the Data Processor. (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (D) The Parties wish to lay down their rights and obligations. IT IS AGREED AS FOLLOWS: 1 Definitions and Interpretation 1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement (including the recitals hereto) shall have the following meaning: 1.1.1 “Agreement” means this Data Processing Agreement and all Schedules, if any. 1.1.2 “Confidential Information” means all information disclosed by a Party to the other Party pursuant to this Agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information.
Page 2 1.1.3 “Schedule” means a schedule to the Data Processing Agreement and which forms an integral part of the Agreement. 1.1.4 “Service” means [Please describe the service]. The Service is described more in detail in Schedule 1. 1.2 The clause headings in this Agreement are for reference purposes only and shall not be used in the interpretation thereof. 2 Object of this Agreement 2.1 The Data Processor shall perform the Services in accordance with the provisions of the Agreement. 3 Price and payment 3.1 The Data Controller shall pay the Data Processor for the Services the amounts described in Schedule 1. 3.2 Any amount mentioned in this Agreement shall be VAT exclusive. 3.3 Invoices shall be paid within a period of thirty (30) days following receipt thereof. 4 Relationship between the Parties 4.1 None of the provisions of this Agreement can be interpreted as indicating the intent of the Parties to form a company, association or joint venture. 5 Duration and Termination 5.1 The duration of this Agreement shall be [Please adapt for example: one (1) year] from the date of signature of this Agreement. 5.2 Either Party shall have the right to terminate the Agreement, partially or entirely, forthwith by sending a written notice of termination to the other Party specifying the reasons for the termination, if any of the following events occur: 5.2.1 the other Party materially breaches any of its obligations under this Agreement 5.2.2 the other Party breaches any of its obligations under this Agreement and, notwithstanding a written request from the non-breaching Party to remedy such a breach, fails to comply with such a request within a period of thirty (30) days following such notice; 5.2.3 an event of force majeure prevails for a period exceeding three (3) months; or 5.2.4 the other Party becomes insolvent or enters liquidation, a petition in bankruptcy is filed for it or a receiver is appointed. 5.3 Upon the termination or expiry of this Agreement, any rights and obligations of the Parties, accrued prior to the termination or expiry thereof shall continue to exist. 5.4 Upon termination or expiry of the Agreement, or at any earlier moment if the personal data are no longer relevant for the delivery of the Services, at the choice of the Data Controller, the Data Processor shall delete or return all the personal data to the Data Controller, and delete existing copies unless a law or regulation requires storage of the personal data.
Page 3 5.5 The provision of articles 5, 6 and 7 of this Agreement shall survive the termination of this Agreement. 6 Data Protection 6.1 As the performance of the Agreement and the delivery of the Services implies the processing of personal data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations. 6.2 The Data Processor shall ensure that in relation to personal data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such personal data and shall therefore: 6.2.1 from 25 May 2018, create and maintain a record of its processing activities in relation to this Agreement; the Data Processor shall make the record available to the Data Controller, any auditor appointed by it and/or the supervisory authority on first request; 6.2.2 not process the personal data for any purpose other than to deliver the Services and to perform its obligations under the Agreement in accordance with the documented instructions of the Data Controller; if it cannot provide such compliance, for whatever reasons, it agrees to promptly inform the Data Controller of its inability to comply; 6.2.3 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes applicable data protection legislation and regulations; 6.2.4 not disclose the personal data to any person other than to its personnel as necessary to perform its obligations under the Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; 6.2.5 take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary; these security measures are described in Schedule 2. 6.2.6 ensure that access, inspection, processing and provision of the personal data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the personal data for their work in relation to the performance of the Services; 6.2.7 promptly notify the Data Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller therewith (ii) any accidental or unauthorized access, and more in general, any unlawful processing and to assist the Data Controller therewith; 6.2.8 deal promptly and properly with all reasonable inquiries from the Data Controller relating to its processing of the personal data or in connection with the Agreement; 6.2.9 make available to the Data Controller all information necessary to demonstrate compliance with the applicable data protection legislation and regulations; 6.2.10 at the request and costs of the Data Controller, submit its data processing facilities for audit or control of the processing activities;
Page 4 6.2.11 refrain from engaging another data processor without the prior written consent of the Data Controller; 6.2.12 assist the Data Controller, subject to reasonable additional compensation, with the Data Controller’s obligation under applicable data protection laws and regulations.; 6.3 Personal data processed in the context of this Agreement may not be transferred to a country outside the European Economic Area without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data. 7 Confidentiality 7.1 Each Party acknowledges that during this Agreement, a Party (the “receiving Party”) may become privy to Confidential Information which is disclosed by the other Party (the “disclosing Party”). 7.2 The receiving Party shall keep all Confidential Information confidential. The receiving Party shall not disclose Confidential Information to any third party, and shall not use Confidential Information for any purposes other than for the purposes of this Agreement. The receiving Party shall safeguard the Confidential Information to the same extent that it safeguards its own confidential and proprietary information and in any event with no less than a reasonable degree of protection. 7.3 Each Party agrees that before any of its subcontractors and/or agents may be given access to Confidential Information, each such subcontractor and/or agent shall agree to be bound by a confidentiality undertaking comparable to the terms of this Agreement. Notwithstanding the return of any Confidential Information, each Party and its subcontractors and/or agents will continue to hold in confidence all Confidential Information, which obligation shall survive any termination of this Agreement. 7.4 In the event the receiving Party is requested or required to disclose, by court order or regulatory decision, any of the disclosing Party’s Confidential Information, the receiving Party shall provide, to the extent permitted, the disclosing Party with prompt written notice so that the disclosing Party may seek a protective order or other appropriate remedy and/or waive compliance with the provisions of this Agreement. The receiving Party shall furnish only that portion of the Confidential Information which is legally required. 7.5 Within [Please adapt for example: ten (10)] business days following (i) the termination or expiry of this Agreement or (ii) the disclosing Party’s reasonable earlier request at any time, the receiving Party shall destroy or return to the disclosing Party (at its option) any and all of the disclosing Party’s Confidential Information, and shall purge all copies and traces of the same from any storage location and/or media.
Page 5 7.6 The confidentiality undertaking under this Article 7 shall not be applicable if the Confidential Information: 7.6.1 has become publicly known prior to being divulged or thereafter, but without any breach of confidentiality undertaking; or 7.6.2 had been legitimately obtained from a third party neither tied by an obligation of confidentiality nor professional secrecy; or 7.6.3 was independently created by the receiving Party without use of any Confidential Information of the disclosing Party; or 7.6.4 was already known or developed by the Receiving Party, as can be demonstrated by documentary evidence. 8 Intellectual Property Rights 8.1 The Data Processor is and shall remain the owner of any materials used or made available in the context of the delivery of the Services. 8.2 The Data Processor grants to the Data Controller a limited, personal, non-exclusive, non- transferable right to use any material provided in the context of the delivery of the Services. This license is coterminous with the Agreement. 9 Liability 9.1 Either Party’s liability shall be limited, per contract year, to an amount of [AMOUNT] EUR. 9.2 Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims. 9.3 No limitation of liability shall apply in case of fraud, wilful intent, death and physical injury resulting from a Party’s negligence. 10 Miscellaneous Provisions 10.1 This Agreement contains the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersedes and replaces all prior agreements or understandings, whether written or oral, with respect to the same subject matter that are still in force between the Parties. 10.2 Any amendments to this Agreement, as well as any additions or deletions, must be agreed in writing by both the Parties. 10.3 Whenever possible, the provisions of this Agreement shall be interpreted in such a manner as to be valid and enforceable under the applicable law. However, if one or more provisions of this Agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this Agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such an event, the Parties shall amend the invalid, illegal or unenforceable provision(s) or any part thereof and/or agree on a new provision in such a way as to reflect insofar as possible the purpose of the invalid, illegal or unenforceable provision(s).
Page 6 10.4 Any failure or delay by a party in exercising any right under this Agreement, any single or partial exercise of any right under this Agreement or any partial reaction or absence of reaction by a party in the event of a violation by the other party of one or more provisions of this Agreement, shall not operate or be interpreted as a waiver (either express or implied, in whole or in part) of that party’s rights under this Agreement or under the said provision(s), nor shall it preclude any further exercise of any such rights. Any waiver of a right must be express and in writing. If there has been an express written waiver of a right following a specific failure by a party, this waiver cannot be invoked by the other party in favour of a new failure, similar to the prior one, or in favour of any other kind of failure. 11 Applicable Law and Jurisdiction 11.1 The laws of Belgium shall apply to this Agreement. 11.2 The Courts of Brussels (Belgium) shall have exclusive jurisdiction with respect to all disputes arising out of or in connection with this Agreement. Attempts to solve disputes informally shall not prevent the Parties from submitting such disputes to the Courts. * * * Done in two original counterparts, one for each Party to this Agreement: For the Data Controller, [Name] For the Data Processor, [Name] Place and date Place and date Signature Signature Name and title of the representative Name and title of the representative List of Schedules: • Schedule 1: Service Description and Pricing • Schedule 2: Data Processing and Security
Page 7 Schedule 1: Service Description and Pricing [Please add a description of the Services and the Pricing/invoicing model.]
Page 8 Schedule 2: Data Processing and Security 1. Description of the data processing carried out on behalf of the Data Controller In addition to the information provided elsewhere in the Agreement, the Parties wish to document the following information in relation to the data processing activities: The data processing performed by the Data Processor on behalf of the Data Controller relates [explain service]. The data processing activity consists of [description]. The categories of personal data involved are: [Please add the relevant categories of data, for example:] • [Identification data (personal identification data including, amongst others, name, address, telephone number, …); • Financial identification data • Personal characteristics • Consumption data • Medical data • ...] The data subjects are [Please add the data subjects concerned: for example, clients and prospective clients (service recipients)]. The duration of the data processing activities is [please describe if it is not aligned with contract duration] 2. Description of security measures The Data Processor has implemented the following security measures: • [Please add]; 3. Appointed sub-processors The Data Processor has appointed the following sub-processors: • [Please add]; [For example: Free-lance consultants which, from time to time, perform services under the operational directions of the Data Processor within the organization of the Data Processor.]

More Related Content

PDF
EU-Datenschutzgrundverordnung (DSGVO)
Michael Rohrlich
 
PDF
Dana bantuan penelitian tesis
ElviraYunita2
 
PDF
BARNES & THORNBURG LLP - Data Processing Agreement 4-6-18
FortuneCMO, LLC
 
PPTX
Controller-to-processor agreements
Tommy Vandepitte
 
PPTX
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
PDF
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR: why your contracts need updating
Brian Miller, Solicitor
 
PDF
Wispr EEA Standard Contractual Clauses.pdf
DehronHiteBenson
 
EU-Datenschutzgrundverordnung (DSGVO)
Michael Rohrlich
 
Dana bantuan penelitian tesis
ElviraYunita2
 
BARNES & THORNBURG LLP - Data Processing Agreement 4-6-18
FortuneCMO, LLC
 
Controller-to-processor agreements
Tommy Vandepitte
 
20180619 Controller-to-Processor agreements
Brussels Legal Hackers
 
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR: why your contracts need updating
Brian Miller, Solicitor
 
Wispr EEA Standard Contractual Clauses.pdf
DehronHiteBenson
 

Similar to Data processing agreement (20)

PPTX
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
PDF
Gdpr contracts and data sharing
Andy Willams
 
PPSX
What All Organisations Need to Know About Data Protection and Cloud Computing...
Brian Miller, Solicitor
 
PPTX
Are You GDPR Ready?
NICSA
 
PDF
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
 
PDF
Gdpr overview ciso platform presentation
Priyanka Aash
 
PPTX
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
PPT
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
PDF
Data Processing Agreement - Hetzner
DOTCOMIT PRO SRL
 
PDF
GDPR 11/1/2017
isc2-hellenic
 
PPTX
Niall Rooney FD Event 05.09.19
Niall Rooney
 
PPTX
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
PDF
Getting Ready for GDPR
Jessvin Thomas
 
PDF
GDPR and Analytics
brunomase
 
PDF
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
PDF
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
PPTX
SCCE Processors and GDPR
Robert Bond
 
PPTX
GDPR: The Catalyst for Customer 360
DataStax
 
PDF
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
GDPR & Your Cloud Provider - What You Need to Know
Rachel Roach
 
Gdpr contracts and data sharing
Andy Willams
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
Brian Miller, Solicitor
 
Are You GDPR Ready?
NICSA
 
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
 
Gdpr overview ciso platform presentation
Priyanka Aash
 
GDPR, Data Privacy.
Liviu Claudiu Cismaru
 
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
Data Processing Agreement - Hetzner
DOTCOMIT PRO SRL
 
GDPR 11/1/2017
isc2-hellenic
 
Niall Rooney FD Event 05.09.19
Niall Rooney
 
GDPRR: The Key Changes
Craig Clark ITIL, CIS LI,EU GDPR P
 
Getting Ready for GDPR
Jessvin Thomas
 
GDPR and Analytics
brunomase
 
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
Prof. Jacques Folon (Ph.D)
 
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
SCCE Processors and GDPR
Robert Bond
 
GDPR: The Catalyst for Customer 360
DataStax
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
Ad

Recently uploaded (20)

PPTX
POSH Awareness and policy ppt with all design covering .
asvnandan
 
PPTX
ART OF LEGAL WRITING IN THE CBD [Autosaved].pptx
PmVelez
 
PPTX
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
PDF
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
PPTX
Sexual Harassment Prevention training class
lmy1103
 
PPTX
Constitutional Law 2 Final Report.ppt bill of rights in under the constitution
JAMESJEFFERSONROSALE
 
PDF
Constitution of India and fundamental rights pdf
abiramianitha2509
 
PPTX
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PPTX
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
PPTX
Punjab Fertilizers Control Act 2025.pptx
Abrar Ahmad
 
PPTX
4-D...Preparation of Research Design.pptx
pacifey700
 
PPTX
BL - Chapter 1 - Law and Legal Reasoning
blamgaming01
 
PDF
Palghar-SGupta-ScreesnShots-12Aug25.pdf The image of the voter list with phot...
sabranghindi
 
PPTX
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
PPT
Understanding the Impact of the Cyber Act
dhanesh96
 
PDF
OBLICON (Civil Law of the Philippines) Obligations and Contracts
NicholeAnneLavides
 
PDF
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
PDF
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 
PPTX
What Happens to Your Business If You Become Incapacitated
Elder Law Center Of Wisconsin
 
POSH Awareness and policy ppt with all design covering .
asvnandan
 
ART OF LEGAL WRITING IN THE CBD [Autosaved].pptx
PmVelez
 
prenuptial agreement ppt my by a phd scholar
rajuyadav42111
 
Vinayaka Mission Law School Courses and Infrastructure.pdf
monash2629
 
Sexual Harassment Prevention training class
lmy1103
 
Constitutional Law 2 Final Report.ppt bill of rights in under the constitution
JAMESJEFFERSONROSALE
 
Constitution of India and fundamental rights pdf
abiramianitha2509
 
UDHR & OTHER INTERNATIONAL CONVENTIONS.pptx
legumleviosa
 
Understanding the Impact of the Cyber Act
dhanesh96
 
2.....FORMULATION OF THE RESEARCH PROBLEM.pptx
pacifey700
 
Punjab Fertilizers Control Act 2025.pptx
Abrar Ahmad
 
4-D...Preparation of Research Design.pptx
pacifey700
 
BL - Chapter 1 - Law and Legal Reasoning
blamgaming01
 
Palghar-SGupta-ScreesnShots-12Aug25.pdf The image of the voter list with phot...
sabranghindi
 
FFFFFFFFFFFFFFFFFFFFFFTA_012425_PPT.pptx
bLackseaL2
 
Understanding the Impact of the Cyber Act
dhanesh96
 
OBLICON (Civil Law of the Philippines) Obligations and Contracts
NicholeAnneLavides
 
SUMMARY CASES-42-47.pdf tax -1 257++/ hsknsnd
ibrahimnorlainie
 
Analysis Childrens act Kenya for the year 2022
ssuserbc32b91
 
What Happens to Your Business If You Become Incapacitated
Elder Law Center Of Wisconsin
 
Ad

Data processing agreement

  • 1. Erkelens Law – Rue des chevaliers 24 – 1050 Brussels – www.erkelenslaw.com Johan Vandendriessche Partner | Erkelens Law Visiting Professor ICT Law | UGent Visiting Professor ICT and Data Protection Law | HoWest Johan.vandendriessche@erkelenslaw.com Isaure de Villenfagne Attorney-at-Law | Erkelens Law Isaure.de.villenfagne@erkelenslaw.com Model Data Processing Agreement (GDPR) This model data processing agreement is provided as a basis for creating a GDPR compliant data processing agreement. The model agreement includes all elements required by article 28 of the GDPR. It should be noted that a compliant agreement cannot be achieved without completing the schedules. This model data processing agreement is made available in the context of legal training. It does not constitute legal advice. You may re-use, modify and adapt this document free of charge in any format or medium for your internal business purposes (commercial or otherwise) and disclose the derivative work to third parties within the context of your own internal business purposes. You have no right to sell, license or publish this document, but you may provide a copy of this document to third parties in unmodified form.
  • 2. Page 1 Data Processing Agreement Between: [Name + legal form], a company incorporated under Belgian law, with registered offices at [xxx], company number [xxx] Represented by [Representative], [title] Hereafter “Data Processor”; And : [Name + legal form], a company incorporated under Belgian law, with registered offices at [xxx], company number [xxx] Represented by [Representative], [title] Hereafter “Data Controller”; The Data Controller and the Data Processor may be referred to individually as a “Party” and collectively as the “Parties”. WHEREAS (A) The Data Controller [Please describe the data controller]. (B) The Data Controller wishes to subcontract certain Services (as defined below), which imply the processing of personal data, to the Data Processor. (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (D) The Parties wish to lay down their rights and obligations. IT IS AGREED AS FOLLOWS: 1 Definitions and Interpretation 1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement (including the recitals hereto) shall have the following meaning: 1.1.1 “Agreement” means this Data Processing Agreement and all Schedules, if any. 1.1.2 “Confidential Information” means all information disclosed by a Party to the other Party pursuant to this Agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information.
  • 3. Page 2 1.1.3 “Schedule” means a schedule to the Data Processing Agreement and which forms an integral part of the Agreement. 1.1.4 “Service” means [Please describe the service]. The Service is described more in detail in Schedule 1. 1.2 The clause headings in this Agreement are for reference purposes only and shall not be used in the interpretation thereof. 2 Object of this Agreement 2.1 The Data Processor shall perform the Services in accordance with the provisions of the Agreement. 3 Price and payment 3.1 The Data Controller shall pay the Data Processor for the Services the amounts described in Schedule 1. 3.2 Any amount mentioned in this Agreement shall be VAT exclusive. 3.3 Invoices shall be paid within a period of thirty (30) days following receipt thereof. 4 Relationship between the Parties 4.1 None of the provisions of this Agreement can be interpreted as indicating the intent of the Parties to form a company, association or joint venture. 5 Duration and Termination 5.1 The duration of this Agreement shall be [Please adapt for example: one (1) year] from the date of signature of this Agreement. 5.2 Either Party shall have the right to terminate the Agreement, partially or entirely, forthwith by sending a written notice of termination to the other Party specifying the reasons for the termination, if any of the following events occur: 5.2.1 the other Party materially breaches any of its obligations under this Agreement 5.2.2 the other Party breaches any of its obligations under this Agreement and, notwithstanding a written request from the non-breaching Party to remedy such a breach, fails to comply with such a request within a period of thirty (30) days following such notice; 5.2.3 an event of force majeure prevails for a period exceeding three (3) months; or 5.2.4 the other Party becomes insolvent or enters liquidation, a petition in bankruptcy is filed for it or a receiver is appointed. 5.3 Upon the termination or expiry of this Agreement, any rights and obligations of the Parties, accrued prior to the termination or expiry thereof shall continue to exist. 5.4 Upon termination or expiry of the Agreement, or at any earlier moment if the personal data are no longer relevant for the delivery of the Services, at the choice of the Data Controller, the Data Processor shall delete or return all the personal data to the Data Controller, and delete existing copies unless a law or regulation requires storage of the personal data.
  • 4. Page 3 5.5 The provision of articles 5, 6 and 7 of this Agreement shall survive the termination of this Agreement. 6 Data Protection 6.1 As the performance of the Agreement and the delivery of the Services implies the processing of personal data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations. 6.2 The Data Processor shall ensure that in relation to personal data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such personal data and shall therefore: 6.2.1 from 25 May 2018, create and maintain a record of its processing activities in relation to this Agreement; the Data Processor shall make the record available to the Data Controller, any auditor appointed by it and/or the supervisory authority on first request; 6.2.2 not process the personal data for any purpose other than to deliver the Services and to perform its obligations under the Agreement in accordance with the documented instructions of the Data Controller; if it cannot provide such compliance, for whatever reasons, it agrees to promptly inform the Data Controller of its inability to comply; 6.2.3 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes applicable data protection legislation and regulations; 6.2.4 not disclose the personal data to any person other than to its personnel as necessary to perform its obligations under the Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations; 6.2.5 take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures, amending these measures where necessary; these security measures are described in Schedule 2. 6.2.6 ensure that access, inspection, processing and provision of the personal data shall take place only in accordance with the need-to-know principle, i.e. information shall be provided only to those persons who require the personal data for their work in relation to the performance of the Services; 6.2.7 promptly notify the Data Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller therewith (ii) any accidental or unauthorized access, and more in general, any unlawful processing and to assist the Data Controller therewith; 6.2.8 deal promptly and properly with all reasonable inquiries from the Data Controller relating to its processing of the personal data or in connection with the Agreement; 6.2.9 make available to the Data Controller all information necessary to demonstrate compliance with the applicable data protection legislation and regulations; 6.2.10 at the request and costs of the Data Controller, submit its data processing facilities for audit or control of the processing activities;
  • 5. Page 4 6.2.11 refrain from engaging another data processor without the prior written consent of the Data Controller; 6.2.12 assist the Data Controller, subject to reasonable additional compensation, with the Data Controller’s obligation under applicable data protection laws and regulations.; 6.3 Personal data processed in the context of this Agreement may not be transferred to a country outside the European Economic Area without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data. 7 Confidentiality 7.1 Each Party acknowledges that during this Agreement, a Party (the “receiving Party”) may become privy to Confidential Information which is disclosed by the other Party (the “disclosing Party”). 7.2 The receiving Party shall keep all Confidential Information confidential. The receiving Party shall not disclose Confidential Information to any third party, and shall not use Confidential Information for any purposes other than for the purposes of this Agreement. The receiving Party shall safeguard the Confidential Information to the same extent that it safeguards its own confidential and proprietary information and in any event with no less than a reasonable degree of protection. 7.3 Each Party agrees that before any of its subcontractors and/or agents may be given access to Confidential Information, each such subcontractor and/or agent shall agree to be bound by a confidentiality undertaking comparable to the terms of this Agreement. Notwithstanding the return of any Confidential Information, each Party and its subcontractors and/or agents will continue to hold in confidence all Confidential Information, which obligation shall survive any termination of this Agreement. 7.4 In the event the receiving Party is requested or required to disclose, by court order or regulatory decision, any of the disclosing Party’s Confidential Information, the receiving Party shall provide, to the extent permitted, the disclosing Party with prompt written notice so that the disclosing Party may seek a protective order or other appropriate remedy and/or waive compliance with the provisions of this Agreement. The receiving Party shall furnish only that portion of the Confidential Information which is legally required. 7.5 Within [Please adapt for example: ten (10)] business days following (i) the termination or expiry of this Agreement or (ii) the disclosing Party’s reasonable earlier request at any time, the receiving Party shall destroy or return to the disclosing Party (at its option) any and all of the disclosing Party’s Confidential Information, and shall purge all copies and traces of the same from any storage location and/or media.
  • 6. Page 5 7.6 The confidentiality undertaking under this Article 7 shall not be applicable if the Confidential Information: 7.6.1 has become publicly known prior to being divulged or thereafter, but without any breach of confidentiality undertaking; or 7.6.2 had been legitimately obtained from a third party neither tied by an obligation of confidentiality nor professional secrecy; or 7.6.3 was independently created by the receiving Party without use of any Confidential Information of the disclosing Party; or 7.6.4 was already known or developed by the Receiving Party, as can be demonstrated by documentary evidence. 8 Intellectual Property Rights 8.1 The Data Processor is and shall remain the owner of any materials used or made available in the context of the delivery of the Services. 8.2 The Data Processor grants to the Data Controller a limited, personal, non-exclusive, non- transferable right to use any material provided in the context of the delivery of the Services. This license is coterminous with the Agreement. 9 Liability 9.1 Either Party’s liability shall be limited, per contract year, to an amount of [AMOUNT] EUR. 9.2 Neither Party shall be liable for any indirect or consequential damages, such as (but not limited to) loss of revenue, loss of profit, loss of opportunity, loss of goodwill and third-party claims. 9.3 No limitation of liability shall apply in case of fraud, wilful intent, death and physical injury resulting from a Party’s negligence. 10 Miscellaneous Provisions 10.1 This Agreement contains the entire agreement and understanding between the Parties with respect to the subject matter hereof and supersedes and replaces all prior agreements or understandings, whether written or oral, with respect to the same subject matter that are still in force between the Parties. 10.2 Any amendments to this Agreement, as well as any additions or deletions, must be agreed in writing by both the Parties. 10.3 Whenever possible, the provisions of this Agreement shall be interpreted in such a manner as to be valid and enforceable under the applicable law. However, if one or more provisions of this Agreement are found to be invalid, illegal or unenforceable, in whole or in part, the remainder of that provision and of this Agreement shall remain in full force and effect as if such invalid, illegal or unenforceable provision had never been contained herein. Moreover, in such an event, the Parties shall amend the invalid, illegal or unenforceable provision(s) or any part thereof and/or agree on a new provision in such a way as to reflect insofar as possible the purpose of the invalid, illegal or unenforceable provision(s).
  • 7. Page 6 10.4 Any failure or delay by a party in exercising any right under this Agreement, any single or partial exercise of any right under this Agreement or any partial reaction or absence of reaction by a party in the event of a violation by the other party of one or more provisions of this Agreement, shall not operate or be interpreted as a waiver (either express or implied, in whole or in part) of that party’s rights under this Agreement or under the said provision(s), nor shall it preclude any further exercise of any such rights. Any waiver of a right must be express and in writing. If there has been an express written waiver of a right following a specific failure by a party, this waiver cannot be invoked by the other party in favour of a new failure, similar to the prior one, or in favour of any other kind of failure. 11 Applicable Law and Jurisdiction 11.1 The laws of Belgium shall apply to this Agreement. 11.2 The Courts of Brussels (Belgium) shall have exclusive jurisdiction with respect to all disputes arising out of or in connection with this Agreement. Attempts to solve disputes informally shall not prevent the Parties from submitting such disputes to the Courts. * * * Done in two original counterparts, one for each Party to this Agreement: For the Data Controller, [Name] For the Data Processor, [Name] Place and date Place and date Signature Signature Name and title of the representative Name and title of the representative List of Schedules: • Schedule 1: Service Description and Pricing • Schedule 2: Data Processing and Security
  • 8. Page 7 Schedule 1: Service Description and Pricing [Please add a description of the Services and the Pricing/invoicing model.]
  • 9. Page 8 Schedule 2: Data Processing and Security 1. Description of the data processing carried out on behalf of the Data Controller In addition to the information provided elsewhere in the Agreement, the Parties wish to document the following information in relation to the data processing activities: The data processing performed by the Data Processor on behalf of the Data Controller relates [explain service]. The data processing activity consists of [description]. The categories of personal data involved are: [Please add the relevant categories of data, for example:] • [Identification data (personal identification data including, amongst others, name, address, telephone number, …); • Financial identification data • Personal characteristics • Consumption data • Medical data • ...] The data subjects are [Please add the data subjects concerned: for example, clients and prospective clients (service recipients)]. The duration of the data processing activities is [please describe if it is not aligned with contract duration] 2. Description of security measures The Data Processor has implemented the following security measures: • [Please add]; 3. Appointed sub-processors The Data Processor has appointed the following sub-processors: • [Please add]; [For example: Free-lance consultants which, from time to time, perform services under the operational directions of the Data Processor within the organization of the Data Processor.]