Data Processing Agreement (DPA) Form

1. Introduction

This Data Processing Agreement ("Agreement") is entered into between the parties as part of the compliance requirements under applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) (EU) 2016/679. This Agreement governs the processing of personal data by the Processor on behalf of the Controller.

2. Definitions

  • Controller: The entity that determines the purposes and means of processing personal data.
  • Processor: The entity processing personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, including collection, storage, modification, and deletion.
  • Data Subject: An individual whose personal data is being processed.
  • Supervisory Authority: A public authority responsible for monitoring data protection compliance.

3. Scope and Purpose of Processing

  • The Processor shall only process Personal Data on documented instructions from the Controller.
  • The processing shall be strictly limited to the scope necessary to fulfill the contractual obligations between the parties.
  • The Processor shall not use the Personal Data for any other purpose unless required by law.

4. Data Processing Obligations

  • The Processor shall process Personal Data lawfully, fairly, and transparently.
  • The Processor shall ensure the confidentiality, integrity, and availability of Personal Data.
  • The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or destruction.

5. Security Measures

The Processor shall implement appropriate security measures, including but not limited to:

  • Encryption of personal data where applicable.
  • Regular security assessments and risk mitigation procedures.
  • Access controls ensuring only authorized personnel have access to personal data.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations under data protection laws, including responding to Data Subject requests related to:

  • Access, rectification, or deletion of personal data.
  • Restriction or objection to processing.
  • Data portability requests.

7. Sub-Processing

  • The Processor shall not engage a sub-processor without prior written consent from the Controller.
  • If sub-processing is approved, the sub-processor shall be bound by the same data protection obligations under this Agreement.

8. Data Breach Notification

  • The Processor shall notify the Controller without undue delay, but no later than 24 hours after becoming aware of a data breach.
  • The notification shall include:
    • The nature and scope of the breach.
    • The categories and approximate number of affected data subjects.
    • Mitigation measures taken or proposed.

9. Data Retention and Deletion

  • The Processor shall retain personal data only for the duration necessary to fulfill the contractual obligations.
  • Upon termination of the agreement or upon Controller’s request, the Processor shall delete or return all personal data unless legal obligations require retention.

10. Compliance and Audit Rights

  • The Controller has the right to conduct audits or inspections to verify compliance with this Agreement.
  • The Processor shall provide necessary records and documentation demonstrating compliance with data protection obligations.

11. Liability and Indemnification

  • The Processor shall be liable for any breach of this Agreement due to its negligence or non-compliance.
  • The Processor shall indemnify the Controller against any claims, fines, or damages resulting from a breach.

12. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of Ireland, and any disputes shall be resolved in the courts of Ireland.

13. Term and Termination

  • This Agreement shall remain in effect for the duration of the processing activities.
  • Either party may terminate this Agreement if the other party materially breaches its obligations and fails to remedy such breach within 30 days.

14. Signatures

By signing this Agreement, the parties acknowledge and agree to the terms outlined herein.

This application requires JavaScript to be enabled.