Generate a comprehensive data processing agreement template compliant with GDPR Article 28 and other privacy regulations, covering processor obligations, sub-processing, security measures, breach notification, and audit rights for your vendor relationships.
## ROLE You are a data protection attorney specializing in data processing agreements and vendor privacy compliance. You have drafted and negotiated DPAs for data controllers engaging processors across cloud services, SaaS platforms, marketing technology, HR systems, payment processing, and analytics providers. You understand the mandatory requirements of GDPR Article 28, the supplementary requirements from supervisory authority guidance, and the practical challenges of implementing DPA obligations in commercial vendor relationships. ## OBJECTIVE Generate a complete, GDPR Article 28-compliant data processing agreement template that the user can customize for their vendor relationships. The DPA should cover all mandatory provisions, include practical implementation guidance, and balance robust data protection with workable commercial terms. ## TASK ### Step 1: Processing Relationship Definition Establish the DPA scope: - Controller name: [YOUR_ORGANIZATION_NAME] - Processor name: [VENDOR_OR_SERVICE_PROVIDER_NAME] - Services being provided: [DESCRIPTION_OF_SERVICES] - Categories of data subjects: [CUSTOMERS / EMPLOYEES / USERS / PATIENTS / STUDENTS / OTHER] - Categories of personal data: [DATA_TYPES_BEING_PROCESSED] - Special category data included: [YES_SPECIFY / NO] - Processing purposes: [SPECIFIC_PURPOSES_FOR_PROCESSING] - Processing locations: [COUNTRIES_WHERE_DATA_WILL_BE_PROCESSED] - Sub-processors anticipated: [YES / NO / UNKNOWN] - Contract term: [DURATION_OF_PROCESSING] - Applicable regulations beyond GDPR: [CCPA / HIPAA / OTHER] Map the data flows between controller and processor. Identify all personal data touchpoints, storage locations, access points, and transmission paths. ### Step 2: Processor Obligations (Article 28 Core Requirements) Draft mandatory processor obligations: **Instruction-Based Processing** - Processor shall process personal data only on documented instructions from the controller - Define the format and channel for controller instructions - Address processor obligations when instructions potentially violate GDPR (notification duty) - Specify treatment of processing outside documented instructions **Confidentiality** - Processor ensures all authorized personnel have committed to confidentiality obligations - Confidentiality obligations survive termination of employment and the DPA - Access to personal data limited to personnel who need it for performing the services - Background check requirements for personnel with access to [SENSITIVITY_LEVEL] data **Security Measures (Article 32)** Draft security obligations tailored to [DATA_SENSITIVITY]: **Technical Measures** - Encryption standards: at rest (AES-256 minimum) and in transit (TLS 1.2+) - Access control: role-based access, multi-factor authentication, privileged access management - Network security: firewalls, intrusion detection, network segmentation - Application security: secure development lifecycle, vulnerability management, penetration testing - Data backup and recovery: frequency, encryption, geographic redundancy - Logging and monitoring: access logs, audit trails, anomaly detection **Organizational Measures** - Information security management system (ISO 27001 certification or equivalent) - Security awareness training for all personnel - Incident response team and procedures - Physical security for data centers and offices - Vendor and supply chain security management - Regular security assessments and audit program Require processor to maintain and provide upon request a current description of technical and organizational measures. ### Step 3: Sub-Processing Provisions Address the sub-processor chain: **Authorization Model** Choose and draft: [SPECIFIC_PRIOR_AUTHORIZATION / GENERAL_WRITTEN_AUTHORIZATION] - For specific authorization: list all approved sub-processors with processing descriptions - For general authorization: define notification and objection procedure **Sub-Processor Notification** - Processor must inform controller of any intended addition or replacement of sub-processors - Notification period: [14/30/45] days before the new sub-processor begins processing - Notification content: sub-processor identity, location, processing description, and security measures - Controller objection right: basis for objection, resolution process, and termination right if unresolved **Sub-Processor Obligations** - Processor must impose the same data protection obligations on sub-processors via contract - Processor remains fully liable for sub-processor compliance - Sub-processor contract must include audit rights exercisable by controller or processor - Sub-processor list maintenance and controller access to current list ### Step 4: Data Subject Rights Assistance Define cooperation obligations: - Processor assists controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) - Response timeline: processor provides assistance within [5/10] business days of controller request - Technical capabilities required: data export, deletion confirmation, processing restriction implementation - Cost allocation for data subject request assistance - Notification obligation if processor receives data subject requests directly ### Step 5: Breach Notification Establish breach response obligations: **Notification Requirements** - Processor notifies controller of personal data breach without undue delay and no later than [24/48/72] hours after becoming aware - Initial notification content: nature of breach, data categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed - Follow-up notification obligations as additional information becomes available - Communication channel and contact points for breach notifications **Cooperation Obligations** - Processor assists controller with breach investigation and impact assessment - Processor provides all information necessary for controller to fulfill supervisory authority and data subject notification obligations - Documentation and evidence preservation requirements - Post-incident review and remediation cooperation ### Step 6: Audit & Compliance Verification Define accountability mechanisms: **Audit Rights** - Controller right to conduct audits and inspections of processor's processing activities - Audit scope: facilities, systems, records, personnel interviews, and security testing - Audit frequency: [ANNUAL / UPON_REASONABLE_REQUEST / TRIGGERED_BY_EVENTS] - Notice period: [30] days for routine audits, immediate for breach-triggered audits - Third-party auditor engagement and confidentiality requirements **Compliance Demonstration** - Processor makes available all information necessary to demonstrate Article 28 compliance - Annual compliance certification or attestation deliverables - Relevant certifications maintenance (ISO 27001, SOC 2 Type II, etc.) - Regulatory examination cooperation **Cost Allocation** Define who bears audit costs: routine audits, triggered audits, and remediation of findings. ### Step 7: Term, Termination & Data Return Address end-of-processing obligations: **Data Return and Deletion** - Upon termination, processor returns all personal data in [FORMAT] within [30] days - After return confirmation, processor deletes all copies from all systems within [30] days - Certification of deletion signed by authorized processor representative - Exceptions for legally required retention with continued protection obligations - Treatment of data in backups: deletion timeline and interim protection measures **Survival Clauses** - Confidentiality obligations survive termination by [PERIOD] - Audit rights survive for [12/24] months after termination - Breach notification obligations survive until all data is deleted ### Step 8: Liability & Indemnification Draft commercial risk allocation: - Processor indemnification for losses arising from processor breach of DPA obligations - Liability cap structure: consider unlimited liability for data protection breaches vs. general service agreement caps - Controller right to recover regulatory fines attributable to processor non-compliance (where legally permissible) - Insurance requirements: cyber liability minimum coverage levels Include annexes for: processing details (Annex 1), technical and organizational measures (Annex 2), approved sub-processor list (Annex 3), and Standard Contractual Clauses for international transfers (Annex 4) if applicable.
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[YOUR_ORGANIZATION_NAME][VENDOR_OR_SERVICE_PROVIDER_NAME][DESCRIPTION_OF_SERVICES][DATA_TYPES_BEING_PROCESSED][SPECIFIC_PURPOSES_FOR_PROCESSING][COUNTRIES_WHERE_DATA_WILL_BE_PROCESSED][DURATION_OF_PROCESSING][SENSITIVITY_LEVEL][DATA_SENSITIVITY][FORMAT][PERIOD]