Non-EEA Data Processing Agreement Template

Data Processing Agreement (Non-EEA) (GDPR-Ready)

BS.DAT.PR.02

The GDPR requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract.

This Data Processing Agreement (Non-EEA) is designed for use in situations where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor that is based outside of the EEA to hold and/or process that personal data on its behalf.

The EEA or European Economic Area consists of all EU member states plus Iceland, Norway, and Liechtenstein. Countries outside of this area are known in data protection circles as “third countries” and additional steps must be taken to ensure that personal data processed in these countries is still protected to GDPR standards.

In some cases, the EU Commission may have made an “adequacy decision”, deciding that a particular country, territory, or one or more specific sectors therein ensures an adequate level of data protection.

Alternatively, other safeguards may provide suitable protection, such as binding corporate rules, standard data protection clauses adopted or approved by the EU Commission, contractual clauses agreed and authorised by the ICO, compliance with an approved code of conduct (e.g. one approved by the ICO), or certification under an approved certification mechanism. (Please note, this is a non-exhaustive list).

This document addresses a number of scenarios and includes the EU Commission’s Standard Contractual Clauses published under a Commission Decision of 2010. If Standard Contractual Clauses are to be used as the legal basis for processing personal data outside of the EEA, the details required in the Standard Contractual Clauses attached to this Agreement as Schedule 5 should be completed in full. Please also note that the wording of the Standard Contractual Clauses is exactly as provided by the EU Commission and that we have not changed it with the exception of including our customary prompts for you to enter information.

Please note that this is a highly complex legal area. This template has been designed to assist in compliance with the GDPR when processing personal data outside the EEA, but obtaining legal advice is strongly recommended. The Information Commissioner’s Office also provides help and guidance for SMEs.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Processing Agreement (Non-EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Rights, Complaints, and Personal Data Breaches
6. [Appointment of a Data Protection Officer]
7. Confidentiality
8. Data Processor’s Personnel
9. Security
10. Appointment of Sub-Processors
11. Cross-Border Transfers of Personal Data
12. Liability and Indemnity
13. [Intellectual Property Rights]
14. Term and Termination
15. Deletion and/or Disposal of Personal Data
16. Record Keeping
17. Auditing
18. [Consideration]
19. Law and Jurisdiction

and the following schedules:
1. Services
2. Personal Data
3. Technical and Organisational Data Protection Measures
4. Legal Basis for Processing Personal Data Outside the EEA
5. Standard Contractual Clauses (+ Appendix 1 + Appendix 2)

This Data Processing Agreement (Non-EEA) is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.

Top