If you wish to transfer data within the EU, it is recommended to conclude a general agreement with the recipients of the data, so that they are not only obliged by EU regulation but also by contract to comply with European data protection. With this pattern you are always on the safe side.

Template data protection agreement

1        Agreement Summary

  • This agreement regulates the obligations and rights of the parties relating to the protection of personal data.
  • This agreement includes all employees and subcontractors used by both parties regarding data processing under this agreement.
  • The terms and clauses used in this agreement shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

2        Agreement Duration

The processing shall start on the [date] and shall end on the [date].


The processing shall starts on the [date] and shall continue until the termination of this agreement or the termination of the main contract between the two parties.

3        Agreement Subject

  • The data processing concerns following activities and purposes: list activities and purposes
  • The data processing concerns following categories of data: list all categories of data
  • The data processing concerns following categories of data subjects: list all data subjects

4        Obligations

Both parties agree and warrant:

4.1       Obligation to inform the data subjects according to Article 13 and 14 GDPR

Company shall inform the data subjects regarding the processing of their personal data.

4.2       Obligation to recognize the responsibilities according to Article 15 GDPR and following

Both parties shall have in place technical and organizational measures to realize the rights of the data subjects according to chapter three GDPR (Right of access, rectification, erasure, restriction, data portability, objection and automated individual decision-making) within legal time limit.

4.3       Security of processing according to Article 32 GDPR

Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, both parties shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.

4.4       Obligation to recognize the responsibilities according to Article 32 to 36 GDPR

Both parties shall have in place technical and organizational measures to carry out their responsibilities according to Article 32 to 36 GDPR (Security of processing, notification of personal data breach to the supervisory authority and the data subject, data protection impact assurance and prior consultation).

4.5       Technical and organizational measures



  • Entry control: Protecting the data processing facility against unauthorized entry, as: keys, key-cards, electric door openers, security personal, portieres, alarm system, video surveillance.
  • Access control: Protecting the data processing facility against unauthorized access, as: passwords including policies, two factor authentication, hardware encryption, automatic locking mechanisms.
  • User Access control: No unauthorised reading, copying, modifying inside the system, as: Access right profiles on a “need to know” basis, standard process for granting access, access protocolling, periodic reviews of all access right profiles in particular administrators.
  • Pseudonymisation: If possible, replacing personally identifiable information fields within a data record by one or more artificial identifiers.
  • Data Classification: regarding legal responsibilities or self-evaluation (confidential, intern, public)


  • Output control: No unauthorised reading, copying, altering during data transportation, electronical and physical, as: Encryption, Virtual Private Networks (VPN), electronic signature
  • Input control: No unauthorised inputting, altering or deleting data, as: protocolling, document management

Availability and Resilience

  • Availability control: Protection against accidental or unlawful destruction or accidental loss, as: backup-strategies (online/offline. on-site/off-site), failsafe power supply, virus protection, firewalls, emergency plans, security checks on infrastructure and application level, multi-level backup-plan with encrypted storage of the backup in another datacentre, Workflow with new, leaving employees.
  • Fast restorability
  • Deletion Dates: For data and metadata as Logfiles.

Processes of regular controls and evaluations

  • Data protect management including employee training
  • Incident-Response-Management.
  • Data protection friendly default settings
  • Processor control: No data processing according to Art 28 GDPR without instructions of the controller, as: agreements, formalised processing management, strict engagement with other processors (ISO-certifications, ISMS), regular controls  

4.6       Subcontractors

Both parties are allowed to engage with sub-contractors


Both parties are not allowed to engage with sub-contractors

4.7       Severability

In the event any provision of this Agreement is deemed unenforceable or ineffective, it shall not affect the enforceability or effectiveness of any other provision of this Agreement, and all other

provisions of this Agreement shall remain in full force and effect.

4.8       Confidentiality

The parties agree to maintain as confidential, and not to disclose to any third party without the prior consent of the other party, any information which one party learns from the other party as part of the data processing under this Agreement.

5        Signatures

Place, Date                                                                                                                               Place, Date

Signature                                                                                                                                  Signature

Haben Sie Fragen dazu oder Anregungen? Schreiben Sie uns eine Nachricht!

Ihre E-Mail-Adresse*
Betreff* ÄnderungsvorschlagKommentarpersönliches Gespräch
Ihre Nachricht*