Data Processing Agreement (Non-EEA) (GDPR-Ready)
The GDPR requires that all data processing carried out by a data processor
on behalf of a data controller is carried out under a written contract.
This Data Processing Agreement (Non-EEA) is designed for use in situations
where a data controller in the UK collects and uses personal data (about
its customers or staff, for example), and wishes to engage a data processor
that is based outside of the EEA to hold and/or process that personal data
on its behalf.
The EEA or European Economic Area consists of all EU member states plus
Iceland, Norway, and Liechtenstein. Countries outside of this area are
known in data protection circles as “third countries” and additional steps
must be taken to ensure that personal data processed in these countries is
still protected to GDPR standards.
In some cases, the EU Commission may have made an “adequacy decision”,
deciding that a particular country, territory, or one or more specific
sectors therein ensures an adequate level of data protection.
Alternatively, other safeguards may provide suitable protection, such as
binding corporate rules, standard data protection clauses adopted or
approved by the EU Commission, contractual clauses agreed and authorised by
the ICO, compliance with an approved code of conduct (e.g. one approved by
the ICO), or certification under an approved certification mechanism.
(Please note, this is a non-exhaustive list).
This document addresses a number of scenarios and includes the EU
Commission’s Standard Contractual Clauses published under a Commission
Decision of 2010. If Standard Contractual Clauses are to be used as the
legal basis for processing personal data outside of the EEA, the details
required in the Standard Contractual Clauses attached to this Agreement as
Schedule 5 should be completed in full. Please also note that the wording
of the Standard Contractual Clauses is exactly as provided by the EU
Commission and that we have not changed it with the exception of including
our customary prompts for you to enter information.
Please note that this is a highly complex legal area. This template has
been designed to assist in compliance with the GDPR when processing
personal data outside the EEA, but obtaining legal advice is strongly
recommended. The Information Commissioner’s Office also provides help
and guidance for SMEs.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Processing Agreement (Non-EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Rights, Complaints, and Personal Data Breaches
6. [Appointment of a Data Protection Officer]
8. Data Processor’s Personnel
10. Appointment of Sub-Processors
11. Cross-Border Transfers of Personal Data
12. Liability and Indemnity
13. [Intellectual Property Rights]
14. Term and Termination
15. Deletion and/or Disposal of Personal Data
16. Record Keeping
19. Law and Jurisdiction
and the following schedules:
2. Personal Data
3. Technical and Organisational Data Protection Measures
4. Legal Basis for Processing Personal Data Outside the EEA
5. Standard Contractual Clauses (+ Appendix 1 + Appendix 2)
This Data Processing Agreement (Non-EEA) is in open format. Either enter
the requisite details in the highlighted fields or adjust the wording to
suit your purposes.
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.