data-processing-addendum

# GDPR Data Processing Addendum (DPA)

Drafts an Art. 28-compliant DPA as a standalone addendum to an underlying service agreement, covering all mandatory processor obligations and four execution-ready schedules.

## Prerequisites

Extract from uploaded documents before drafting:

1. **Service agreement** — governing law, notice clauses, effective date, termination provisions
2. **Party details** — legal names, addresses, registration numbers, DPO contacts (both parties)
3. **Processing description** — subject matter, duration, nature/purpose, data types, data subject categories; flag Art. 9 special category data explicitly
4. **Sub-processor list** — names, locations, processing activities
5. **Security posture** — certifications (ISO 27001, SOC 2), policies, audit reports
6. **Transfer mechanisms** — SCCs, BCRs, adequacy decisions, or TIAs for EEA transfers

## Quick Start

Produce a numbered, cross-referenced document: recitals, operative provisions (Sections 1–11), signature block, and four schedules (A–D). Draft schedules in parallel with their corresponding sections.

## DPA Sections

### 1 — Parties & Main Agreement

| Element | Requirement |
|---|---|
| Party identification | Full legal name, address, registration number, DPO details |
| Hierarchy | DPA prevails over main agreement on data protection matters |
| Effective date | Specify; note retroactive application if processing already underway |
| Integration | DPA forms integral part of main agreement |

### 2 — Processing Details (→ Schedule B)

- **Subject matter & duration**: Tied to service agreement term; include renewal/termination triggers
- **Nature & purpose**: Enumerate operations (collection, storage, analysis, transmission, deletion); confirm necessity and proportionality
- **Data types**: Distinguish ordinary vs. special category (Art. 9)
- **Data subjects**: Employees, customers, end-users, children (flag Art. 8 if applicable)

### 3 — Processor Instructions (Art. 28(3)(a))

- [ ] Process only on documented controller instructions; initial scope defined by DPA and main agreement
- [ ] Procedure for additional/modified instructions (form, acknowledgment timeframe)
- [ ] Processor notifies controller immediately if any instruction violates GDPR or Member State law
- [ ] Processing beyond instructions for legal obligation: notify controller before processing unless prohibited on public-interest grounds

### 4 — Security (Art. 32) (→ Schedule C)

Schedule C minimum domains:

| Domain | Scope |
|---|---|
| Pseudonymization & encryption | At-rest, in-transit, key management |
| Confidentiality & integrity | Access controls, least-privilege, logging |
| Availability & resilience | Redundancy, DR, RTO/RPO |
| Testing & evaluation | Pen-test cadence, vulnerability management |
| Personnel | Confidentiality obligations for all authorized personnel |

Reference existing certifications (ISO 27001, SOC 2 Type II, TISAX) as baseline evidence.

### 5 — Sub-processors (Art. 28(2), 28(4)) (→ Schedule A)

- [ ] General written authorization (preferred) OR specific per-sub-processor authorization
- [ ] 30-day advance notice for additions/replacements; controller may object on reasonable grounds
- [ ] Objection consequences: processor proposes alternative OR controller may terminate without penalty
- [ ] Sub-processors bound by equivalent obligations (Art. 28(4))
- [ ] Processor fully liable for sub-processor performance

### 6 — Data Subject Rights (Art. 12–23)

- [ ] Processor supports controller responses: access (15), rectification (16), erasure (17), restriction (18), portability (20), objection (21)
- [ ] Direct requests from data subjects: notify controller within **48 hours**; do not respond without documented instruction
- [ ] Cost allocation for resource-intensive requests consistent with main agreement

### 7 — Breach Notification (Art. 33–34)

- [ ] Notify controller **without undue delay, max 24 hours** after awareness (adjust for data sensitivity)
- [ ] Notification must include: nature of breach, approximate affected subjects/records, contact point, likely consequences, mitigation measures
- [ ] Cooperate on investigation, supervisory authority notification (Art. 33/34), data subject communications
- [ ] Preserve all evidence; maintain incident log

### 8 — Compliance Assistance (Art. 32–36)

- [ ] Assist with Art. 32 security obligations and DPIAs (Art. 35)
- [ ] Support prior supervisory authority consultation (Art. 36) where required
- [ ] Provide all information to demonstrate Art. 28 compliance
- [ ] Allow for and contribute to audits (Section 9)

### 9 — Audits & Inspections

| Parameter | Position |
|---|---|
| Notice | 30 days (routine); shorter for cause |
| Frequency | Annual unless cause exists |
| Auditor | Controller team or independent third party (under NDA) |
| Remote audits | Permitted |
| Alternative evidence | Art. 42/40 certification, SOC 2 Type II, ISO 27001 (current and comprehensive) |
| Costs | Controller bears routine; processor bears remediation costs for non-compliance |
| Remediation | Specified timeline; escalation; controller may suspend or terminate for material breach |

### 10 — Data Return & Deletion

- [ ] Controller elects upon termination: return in structured format OR secure deletion (cryptographic erasure/physical destruction)
- [ ] Certification of completion within **30 days** (standard) / **60 days** (complex environments)
- [ ] Legal retention exception: retained data must be isolated, confidential, unused for service delivery
- [ ] Backups: isolate, exclude from restoration, delete per documented rotation schedule

### 11 — General Provisions

- [ ] **Definitions**: Incorporate GDPR Art. 4; add processing-specific terms
- [ ] **Governing law**: Compatible with GDPR Art. 3 territorial scope; must not undermine Chapter III rights
- [ ] **International transfers**: SCCs (Art. 46(2)(c)), BCRs (Art. 47), or adequacy (Art. 45); reference TIA post-*Schrems II*
- [ ] **Amendments**: Written mutual agreement; process for regulatory-driven updates
- [ ] **Dispute resolution**: Escalation → mediation → litigation/arbitration

## Schedules

| Schedule | Contents |
|---|---|
| **A** | Approved sub-processors: name, address, processing location, activity |
| **B** | Processing description: subject matter, duration, nature/purpose, data types, data subject categories |
| **C** | Technical and organizational security measures (by domain per Section 4) |
| **D** | Certifications, audit reports, compliance documentation |

Flag any schedule where source documents lack sufficient detail; note required information for completion.

## Pitfalls

- **Art. 28(3) completeness is mandatory** — all eight elements must appear; omission risks fines up to 4% global annual turnover / €20M
- **Special category data** (Art. 9): heighten security in Schedules B and C
- **Children's data**: flag Art. 8 and national implementing provisions
- **Jurisdiction**: GDPR applies by Art. 3 regardless of processor location; governing law must not conflict
- **SCCs**: verify against current EC SCC templates (June 2021) and EDPB Recommendations 01/2020
- **Never** allow processor to use personal data for own purposes — converts processor to controller
- **Never** grant open-ended sub-processor authorization without change-notification and objection rights
- **Reconcile** all cost, notice, and termination provisions with the underlying service agreement before execution