If you wish to transfer data within the EU, it is recommended to conclude a general agreement with the recipients of the data, so that they are not only obliged by EU regulation but also by contract to comply with European data protection. With this pattern you are always on the safe side.
Template data protection agreement
- This agreement regulates the obligations and rights of the parties relating to the protection of personal data.
- This agreement includes all employees and subcontractors used by both parties regarding data processing under this agreement.
- The terms and clauses used in this agreement shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
The processing shall start on the [date] and shall end on the [date].
The processing shall starts on the [date] and shall continue until the termination of this agreement or the termination of the main contract between the two parties.
- The data processing concerns following activities and purposes: list activities and purposes
- The data processing concerns following categories of data: list all categories of data
- The data processing concerns following categories of data subjects: list all data subjects
Both parties agree and warrant:
Company shall inform the data subjects regarding the processing of their personal data.
Both parties shall have in place technical and organizational measures to realize the rights of the data subjects according to chapter three GDPR (Right of access, rectification, erasure, restriction, data portability, objection and automated individual decision-making) within legal time limit.
Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, both parties shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.
Both parties shall have in place technical and organizational measures to carry out their responsibilities according to Article 32 to 36 GDPR (Security of processing, notification of personal data breach to the supervisory authority and the data subject, data protection impact assurance and prior consultation).
- Entry control: Protecting the data processing facility against unauthorized entry, as: keys, key-cards, electric door openers, security personal, portieres, alarm system, video surveillance.
- Access control: Protecting the data processing facility against unauthorized access, as: passwords including policies, two factor authentication, hardware encryption, automatic locking mechanisms.
- User Access control: No unauthorised reading, copying, modifying inside the system, as: Access right profiles on a “need to know” basis, standard process for granting access, access protocolling, periodic reviews of all access right profiles in particular administrators.
- Pseudonymisation: If possible, replacing personally identifiable information fields within a data record by one or more artificial identifiers.
- Data Classification: regarding legal responsibilities or self-evaluation (confidential, intern, public)
- Output control: No unauthorised reading, copying, altering during data transportation, electronical and physical, as: Encryption, Virtual Private Networks (VPN), electronic signature
- Input control: No unauthorised inputting, altering or deleting data, as: protocolling, document management
Availability and Resilience
- Availability control: Protection against accidental or unlawful destruction or accidental loss, as: backup-strategies (online/offline. on-site/off-site), failsafe power supply, virus protection, firewalls, emergency plans, security checks on infrastructure and application level, multi-level backup-plan with encrypted storage of the backup in another datacentre, Workflow with new, leaving employees.
- Fast restorability
- Deletion Dates: For data and metadata as Logfiles.
Processes of regular controls and evaluations
- Data protect management including employee training
- Data protection friendly default settings
- Processor control: No data processing according to Art 28 GDPR without instructions of the controller, as: agreements, formalised processing management, strict engagement with other processors (ISO-certifications, ISMS), regular controls
Both parties are allowed to engage with sub-contractors
Both parties are not allowed to engage with sub-contractors
In the event any provision of this Agreement is deemed unenforceable or ineffective, it shall not affect the enforceability or effectiveness of any other provision of this Agreement, and all other
provisions of this Agreement shall remain in full force and effect.
The parties agree to maintain as confidential, and not to disclose to any third party without the prior consent of the other party, any information which one party learns from the other party as part of the data processing under this Agreement.
Place, Date Place, Date