{"id":730,"date":"2021-08-19T07:11:24","date_gmt":"2021-08-19T11:11:24","guid":{"rendered":"https:\/\/www.harmonizehq.com\/blog\/?p=730"},"modified":"2021-08-17T07:39:09","modified_gmt":"2021-08-17T11:39:09","slug":"data-processing-agreements","status":"publish","type":"post","link":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/","title":{"rendered":"The Guide to Data Processing Agreements"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">Before we get started, here are definitions of some keywords and phrases that appear throughout the article. It is helpful to understand them from the get-go.\u00a0<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td>\n<p style=\"text-align: center;\"><b>Phrase<\/b><\/p>\n<\/td>\n<td>\n<p style=\"text-align: center;\"><b>Definition<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Data subject<\/span><\/td>\n<td><span style=\"font-weight: 400;\">The person whose data is processed. Most often, these are your customers.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Data controller<\/span><\/td>\n<td><span style=\"font-weight: 400;\">This is your company. This is the person that decides what data to process, how it will be processed, and why it is processed.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Data processor\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A third party that processes personal data on behalf of a data controller. For example, when your HR department does a background check on a prospective employee, you may hire another company or service to do it for you. They would be a data processor \u2013 your company must have a data processing agreement.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Personal data<\/span><\/td>\n<td><span style=\"font-weight: 400;\">This is data that is held on a person which can lead to them being directly or indirectly identified. This includes data such as name, address, location, email, phone number, ethnicity, gender, biometric data, and web cookies.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Data processing<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Processing is any action or operation performed on personal data \u2013 whether through automated means or not. For example, this would include collection, storage, alteration, consultation, organizing, or erasing it.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Third-party\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Third-party refers to any person that is not a data subject, data controller, or data processor.\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"lyte-wrapper fourthree\" style=\"width:480px;max-width:100%;margin:5px auto;\"><div class=\"lyMe\" id=\"WYL_Oj_iQ6ZJGy4\"><div id=\"lyte_Oj_iQ6ZJGy4\" data-src=\"https:\/\/blog.harmonizehq.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=%2F%2Fi.ytimg.com%2Fvi%2FOj_iQ6ZJGy4%2Fhqdefault.jpg\" class=\"pL\"><div class=\"tC\"><div class=\"tT\"><\/div><\/div><div class=\"play\"><\/div><div class=\"ctrl\"><div class=\"Lctrl\"><\/div><div class=\"Rctrl\"><\/div><\/div><\/div><noscript><a href=\"https:\/\/youtu.be\/Oj_iQ6ZJGy4\"><img src=\"https:\/\/blog.harmonizehq.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2FOj_iQ6ZJGy4%2F0.jpg\" alt=\"\" width=\"480\" height=\"340\" \/><br \/>Watch this video on YouTube<\/a><\/noscript><\/div><\/div><div class=\"lL\" style=\"max-width:100%;width:480px;margin:5px auto;\"><\/div><\/p>\n\n<h2><span style=\"font-weight: 400;\">What is a Data Processing Agreement?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The foundation of data processing is that it must be processed with the consent of the data subject or through some other legitimate and lawful means. Under the law, this is also a legal requirement \u2013 particularly the General Data Protection Regulation (GDPR), Recital 40. The data processing agreement was created to establish the foundation of data processing and to allow companies to process a data subject\u2019s information lawfully through third-party processors. Therefore, the data processing agreement is used to cement the processing of personal data by third parties for your business. Under the GDPR, your business must have a separate data processing agreement with each data processor. These agreements must be in written form and agreed to by both parties.\u00a0<\/span><\/p>\n<blockquote><p><span style=\"font-weight: 400;\">Processing has a wider meaning within the GDPR, and it includes any possible action that can be taken with a data subject\u2019s personal data. For example, collecting it, selling it, storing it, or destroying it.\u00a0<\/span><\/p><\/blockquote>\n<p><span style=\"font-weight: 400;\">Data processing agreements are legally binding contracts under the law and stated the rights and responsibilities of both parties to the contract concerning the use and processing of personal data.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Where your company requires a processor, you should ensure that they are GDPR compliant and should audit the processor. The data processing agreement should include all your rights and responsibilities.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">When You Can Process Personal Data?<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Normally, a person, business, or processor may not process personal data. To do this, you must be allowed to do this by fitting into one of the instances listed under Article 6 GDPR. These instances are as follows:\u00a0<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The data subject gives you unambiguous consent to process their data.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Data processing is mandatory for the performance of a contract to which the data subject is a party. Alternatively, processing can be done where it is necessary to take steps at the data subject\u2019s request before entering into such a contract.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Processing the data is necessary to comply with a legal obligation to which your company is subject.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It is necessary to protect the vital interests (to save their life) of the data subject or another natural person.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Processing is necessary to carry out a task of public interest or to carry out an official function that your company holds.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It is necessary for the purposes of the legitimate interests pursued by the controller or a third party. However, such interests are overridden by the interests or fundamental freedoms of the data subject \u2013 particularly, where they are children.\u00a0<\/span><\/li>\n<\/ol>\n<h2><img loading=\"lazy\" class=\"alignnone size-full wp-image-731\" src=\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min.jpeg\" alt=\"GDPR Data Processing Agreements\" width=\"1356\" height=\"668\" srcset=\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min.jpeg 1356w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min-300x148.jpeg 300w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min-1024x504.jpeg 1024w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min-768x378.jpeg 768w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min-100x49.jpeg 100w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/GDPR-Data-Processing-Agreements-min-700x345.jpeg 700w\" sizes=\"(max-width: 1356px) 100vw, 1356px\" \/><\/h2>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.google.com\/url?sa=i&amp;url=https%3A%2F%2Ftheconversation.com%2Fwhat-does-gdpr-mean-for-me-an-explainer-96630&amp;psig=AOvVaw0-7dmLbXnf_o3YbfpnEmEG&amp;ust=1629285630975000&amp;source=images&amp;cd=vfe&amp;ved=0CAsQjRxqFwoTCLjqxIz4t_ICFQAAAAAdAAAAABAD\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n<h2><span style=\"font-weight: 400;\">Principles of Data Processing<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">While many countries have their own set of data processing principles, there are common principles shared between many nations.<\/span><b>\u00a0<\/b><\/p>\n<h3><span style=\"font-weight: 400;\">Accountability\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The data controller (this is your company) has the responsibility to be accountable for the data that you\/your processor processes. Therefore, this also means that your company must show that it is being GDPR compliant. You can do so through maintaining detailed documentation of all data that you collect and process \u2013 including its storage and purpose. Additionally, staff members should be trained on data protection and GDPR compliance \u2013 this will allow the company to designate more responsibility for data protection onto employees. Alternatively, the company can designate a Data Protection Officer, although this is not a necessity. Finally, and most importantly, you must have data processing agreements in place with all third parties who you contract to process data.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Accuracy<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Data to be processed or data that is being processed should be kept up to date and accurate. Unnecessary data should be erased, and incorrect data must be corrected as soon as it is identified. Where a data subject makes you aware of any change to their data or makes you aware that data kept about them is incorrect, then your company has the duty to update such information that you hold on them to ensure the correctness of the data.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Fairness and Lawfulness<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Primarily, data processing should be fair and lawful \u2013 this mostly requires that the data subject is fully aware of their data being processed (also for what purpose it is being processed) and that the data is processed with their consent. Additionally, data processing should be in line with any national and international laws or customs so as not to render the processing of data unfair. The GDPR specifically states that data processing is only lawful where it fits one of the instances listed under Article 6.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Consent<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Consent has to be freely given, specific to that circumstance, and informed and unambiguous. Similarly, requests that your company sends to data subjects to obtain their consent must be written in clear and plain language. Such requests must also be separate and distinguishable from other matters. Where you obtain consent from a data subject, your company should keep documentary evidence of it. Where a data subject later wants to withdraw their consent, they are free to do so and you must stop processing their data immediately. Finally, children are unable to give consent by themselves \u2013 if they are below 13 years of age, they must have a parent or guardian\u2019s permission to give consent.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Relevance\u00a0<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">When data is to be processed, the purpose of the processing must be communicated clearly to the data subject. As part of this, the data controller must ensure that the data is relevant to the purpose for which it is processed. Additionally, data processing should be limited so that it is only processed where necessary for the purpose of its collection. Time is also a key component of relevance as information can become less or more relevant over time. Therefore, your company must only keep and process the information for as long as it remains relevant to its purpose. TO ensure that data is only kept and processed for as long as necessary, the data controller should establish set time limits, after which data should be deleted, rectified, or archived. This time limit should be reviewed periodically so that it is updated to an adequate time period.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Security<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Data should be processed and stored with adequate security so that it is not misused or misprocessed. The security should be enough to preserve the data subject\u2019s confidentiality and anonymity. Additionally, personal data deserved further protection so that it is kept safe from unauthorized access or use. Risks to data security arise from accidental or intentional unauthorized modification, erasure, or disclosure of data.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Before implementing data security features, your company should consider the current status of data security within your company and its processors. For example, a primary consideration should be the number of people that have access to the data \u2013 the people with access should be limited to only those who are necessary to the processing or storing of data. Additionally, the data should be stored in a safe location with both physical and digital security measures implemented.\u00a0<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Transparency<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">This principle ties in with fairness as data processing might have to be transparent to be fair and lawful. Any data that is being processed or information concerning the processing of personal data should be accessible to the data subject or anyone they nominate to access such data. The information should be presented in a manner that is easy to understand \u2013 this means that the information is laid out clearly and written plainly. Particular information to be conveyed to the data subject includes, but is not limited to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identity of the data controller\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Information contained on the data subject<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Information to be processed\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">How the processing will take place<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The data subject\u2019s ability to request information that is held on them<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The data subject\u2019s ability to stop the processing\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Relevant rules, rights, and safeguards concerning the process of their data<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">What to Include in a Data Processing Agreement?<\/span><\/h2>\n<p><img loading=\"lazy\" class=\"alignnone size-full wp-image-733\" src=\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_-.jpeg\" alt=\"What to Include in a Data Processing Agreement_\" width=\"1000\" height=\"667\" srcset=\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_-.jpeg 1000w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_--300x200.jpeg 300w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_--768x512.jpeg 768w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_--100x67.jpeg 100w, https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/What-to-Include-in-a-Data-Processing-Agreement_--675x450.jpeg 675w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.google.com\/url?sa=i&amp;url=https%3A%2F%2Fwww.impactplus.com%2Fblog%2Fconditions-to-expect-in-a-master-services-agreement-with-a-marketing-agency&amp;psig=AOvVaw3XHByfXw6LrqRm66QYDTzl&amp;ust=1629285913199000&amp;source=images&amp;cd=vfe&amp;ved=0CAsQjRxqFwoTCICbj5P5t_ICFQAAAAAdAAAAABAD\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n<p><span style=\"font-weight: 400;\">The GDPR, Article 28(3) details 8 things that must be included within a data processing agreement. Outside of the below requirements, the rest of the data processing agreement is free to be created as your company wishes.<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The processor must only process the data when they receive documented instructions from the controller.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Persons who have authority to access the data must be committed to confidentiality or must be under statutory obligation to maintain confidentiality.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Appropriate organizational and technical measures must be taken to protect the security of the data.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">According to sections 2 and 4 of Article 28, the data processing must not be subcontracted out to another processor without the explicit instruction of the data controller. Where it is subcontracted upon instruction, a data processing agreement must be signed by that data processor.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The processor should help the data controller by taking appropriate technical and organizational measures for the fulfillment of the controller\u2019s obligations under the GDPR.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The processor must help the data controller maintain GDPR compliance with Article 32 (security in processing) and Article 36 (consulting the data protection authority before undertaking high-risk processing).\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The processor must delete or return all personal data where the agreement to process personal data is terminated.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The processor must make available to the controller all information required to prove compliance with the GDPR. Additionally, the processor must allow the controller to conduct an audit on the processor.<\/span><\/li>\n<\/ol>\n<h2><span style=\"font-weight: 400;\">Example Data Processing Agreements\/Privacy Policies<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Here, you will find links to the data processing agreements for both larger and smaller companies. Use this to find examples of the main clauses as well as to take consideration of any extra clauses that they have included, which could be applied to your business. While most of these are agreements between the company and its customers as opposed to with a processor, the clauses are similar to agreements made with processors \u2013 so it is a good source of inspiration.\u00a0<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Company<\/b><\/td>\n<td><b>Sector\/Industry<\/b><\/td>\n<td><b>Data Processing Agreement<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Google\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Technology<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/cloud.google.com\/terms\/data-processing-terms#13.-liability\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Apple<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Technology<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/www.apple.com\/legal\/privacy\/en-ww\/\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Maersk\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Shipping\/Transport<\/span><\/td>\n<td><span style=\"font-weight: 400;\">This is their <\/span><a href=\"https:\/\/terms.maersk.com\/privacy\"><span style=\"font-weight: 400;\">main privacy policy<\/span><\/a><span style=\"font-weight: 400;\">. This is backed up by a <\/span><a href=\"https:\/\/assets.website-files.com\/5e4144f862d1c500c16b1334\/5e417bedd77f91c055ffcdff_1d1h989d8_553941.pdf\"><span style=\"font-weight: 400;\">data processing addendum<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Harmonize\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Chat-based Human Resources Software\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/www.harmonizehq.com\/tos.html\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Hrvey\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Human Resources\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/www.hrvey.com\/kb\/assets\/pdf\/hrvey_example_data_processing_agreement.pdf\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Penguin Random House\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Book Publishing\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/www.penguin.co.uk\/company\/about-us\/notices\/privacy-policy\/full-privacy-policy.html\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Linklaters\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Solicitors\u00a0<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Find it <\/span><a href=\"https:\/\/www.linklaters.com\/en\/legal-notices\/privacy-notice\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">Every company has a slightly varied data processing agreement, however, they all stem from a similar template and substantially contain similar clauses. Below, you will find a sample template for a data protection agreement.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Data Protection Agreement Template\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The following template has been provided by Proton Technologies as part of its reporting on the General Data Protection Regulation (GDPR). While the template is a good example to base your data protection agreement on, it will not cover everything that your company may wish to. So, you must take independent legal advice to ensure that the company covers all bases.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If instead of a data protection agreement, the company wishes to create an entire privacy policy, then you can find a link to a template for one <\/span><a href=\"https:\/\/gdpr.eu\/wp-content\/uploads\/2019\/01\/Our-Company-Privacy-Policy.pdf\"><span style=\"font-weight: 400;\">here<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This Data Processing Agreement (\u201c<\/span><b>Agreement<\/b><span style=\"font-weight: 400;\">\u201c) forms part of the Contract for<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Services (\u201c<\/span><b>Principal Agreement<\/b><span style=\"font-weight: 400;\">\u201c) between<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">(the \u201c<\/span><b>Company<\/b><span style=\"font-weight: 400;\">\u201d) and<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">_____________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">(the \u201cData Processor\u201d)<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">(together as the \u201c<\/span><b>Parties<\/b><span style=\"font-weight: 400;\">\u201d)<\/span><\/p>\n<p><span style=\"font-weight: 400;\">WHEREAS<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(A) The Company acts as a Data Controller.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework concerning data processing and with the Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data and repealing Directive 95\/46\/EC (General Data Protection Regulation).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">(D) The Parties wish to lay down their rights and obligations.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IT IS AGREED AS FOLLOWS:<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: 400;\"> Definitions and Interpretation<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.1 \u201cAgreement\u201d means this Data Processing Agreement and all Schedules;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.2 \u201cCompany Personal Data\u201d means any Personal Data Processed by a Contracted Processor on behalf of Company according to or in connection with the Principal Agreement;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.3 \u201cContracted Processor\u201d means a Subprocessor;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.4 \u201cData Protection Laws\u201d means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.5 \u201cEEA\u201d means the European Economic Area;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.6 \u201cEU Data Protection Laws\u201d means EU Directive 95\/46\/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.7 \u201cGDPR\u201d means EU General Data Protection Regulation 2016\/679;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.8 \u201cData Transfer\u201d means:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.9 \u201cServices\u201d means the __________________ services the Company provides.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.1.10 \u201cSubprocessor\u201d means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Company in connection with the Agreement.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">1.2 The terms, \u201cCommission\u201d, \u201cController\u201d, \u201cData Subject\u201d, \u201cMember State\u201d, \u201cPersonal Data\u201d, \u201cPersonal Data Breach\u201d, \u201cProcessing\u201d and \u201cSupervisory Authority\u201d shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.<\/span><\/p>\n<ol start=\"2\">\n<li><span style=\"font-weight: 400;\"> Processing of Company Personal Data<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">2.1 Processor shall:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2.1.2 not Process Company Personal Data other than on the relevant Company\u2019s documented instructions.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">2.2 The Company instructs Processor to process Company Personal Data.<\/span><\/p>\n<ol start=\"3\">\n<li><span style=\"font-weight: 400;\"> Processor Personnel<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know \/ access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual\u2019s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Security<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">4.2 In assessing the appropriate level of security, Processor shall take into account the risks presented by Processing, particularly from a Personal Data Breach.<\/span><\/p>\n<ol start=\"5\">\n<li><span style=\"font-weight: 400;\"> Subprocessing<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">5.1 Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Company.<\/span><\/p>\n<ol start=\"6\">\n<li><span style=\"font-weight: 400;\"> Data Subject Rights<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">6.2 Processor shall:<\/span><\/p>\n<p><span style=\"font-weight: 400;\">6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and<\/span><\/p>\n<p><span style=\"font-weight: 400;\">6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.<\/span><\/p>\n<ol start=\"7\">\n<li><span style=\"font-weight: 400;\"> Personal Data Breach<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.<\/span><\/p>\n<ol start=\"8\">\n<li><span style=\"font-weight: 400;\"> Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Deletion or return of Company Personal Data<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">9.1 Subject to this section 9 Processor shall promptly and in any event within<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the \u201cCessation Date\u201d), delete and procure the deletion of all copies of those Company Personal Data.<\/span><\/p>\n<ol start=\"10\">\n<li><span style=\"font-weight: 400;\"> Audit rights<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.<\/span><\/p>\n<ol start=\"11\">\n<li><span style=\"font-weight: 400;\"> Data Transfer<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and\/or the European Economic Area (EEA) without the Company&#8217;s prior written consent. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.<\/span><\/p>\n<ol start=\"12\">\n<li><span style=\"font-weight: 400;\"> General Terms<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (\u201cConfidential Information\u201d) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">(a) disclosure is required by law;<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">(b) the relevant information is already in the public domain.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.<\/span><\/p>\n<ol start=\"13\">\n<li><span style=\"font-weight: 400;\"> Governing Law and Jurisdiction<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">13.1 This Agreement is governed by the laws of _______________.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of _________________, subject to possible appeal to __________________________________.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Your Company<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Signature ______________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Name: ________________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Title: _________________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Date Signed: ___________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Processor Company<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Signature ______________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Name _________________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Title __________________________________<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Date Signed ____________________________<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.<\/p>\n","protected":false},"author":2,"featured_media":734,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v18.4.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Guide to Data Processing Agreements | HarmonizeHQ<\/title>\n<meta name=\"description\" content=\"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Guide to Data Processing Agreements | HarmonizeHQ\" \/>\n<meta property=\"og:description\" content=\"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/\" \/>\n<meta property=\"og:site_name\" content=\"Harmonize | Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-19T11:11:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-17T11:39:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"950\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/#website\",\"url\":\"https:\/\/www.harmonizehq.com\/blog\/\",\"name\":\"Harmonize | Blog\",\"description\":\"All Things HR\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.harmonizehq.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg\",\"contentUrl\":\"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg\",\"width\":950,\"height\":500,\"caption\":\"Data Processing Agreements Featured Image\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#webpage\",\"url\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/\",\"name\":\"The Guide to Data Processing Agreements | HarmonizeHQ\",\"isPartOf\":{\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#primaryimage\"},\"datePublished\":\"2021-08-19T11:11:24+00:00\",\"dateModified\":\"2021-08-17T11:39:09+00:00\",\"author\":{\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/#\/schema\/person\/3715fd9ea2cd87fea82eee5a5ddfd297\"},\"description\":\"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.harmonizehq.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Guide to Data Processing Agreements\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/#\/schema\/person\/3715fd9ea2cd87fea82eee5a5ddfd297\",\"name\":\"Author\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.harmonizehq.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/06a378c2b7451c6e70f3dff7caf1bbe6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/06a378c2b7451c6e70f3dff7caf1bbe6?s=96&d=mm&r=g\",\"caption\":\"Author\"},\"url\":\"https:\/\/www.harmonizehq.com\/blog\/author\/author\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Guide to Data Processing Agreements | HarmonizeHQ","description":"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/","og_locale":"en_US","og_type":"article","og_title":"The Guide to Data Processing Agreements | HarmonizeHQ","og_description":"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.","og_url":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/","og_site_name":"Harmonize | Blog","article_published_time":"2021-08-19T11:11:24+00:00","article_modified_time":"2021-08-17T11:39:09+00:00","og_image":[{"width":950,"height":500,"url":"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Author","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.harmonizehq.com\/blog\/#website","url":"https:\/\/www.harmonizehq.com\/blog\/","name":"Harmonize | Blog","description":"All Things HR","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.harmonizehq.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#primaryimage","inLanguage":"en-US","url":"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg","contentUrl":"https:\/\/blog.harmonizehq.com\/wp-content\/uploads\/Data-Processing-Agreements-Featured-Image.jpg","width":950,"height":500,"caption":"Data Processing Agreements Featured Image"},{"@type":"WebPage","@id":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#webpage","url":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/","name":"The Guide to Data Processing Agreements | HarmonizeHQ","isPartOf":{"@id":"https:\/\/www.harmonizehq.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#primaryimage"},"datePublished":"2021-08-19T11:11:24+00:00","dateModified":"2021-08-17T11:39:09+00:00","author":{"@id":"https:\/\/www.harmonizehq.com\/blog\/#\/schema\/person\/3715fd9ea2cd87fea82eee5a5ddfd297"},"description":"GDPR transformed data processing across the world. In this guide, we take you through definitions, agreements, and templates.","breadcrumb":{"@id":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.harmonizehq.com\/blog\/data-processing-agreements\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.harmonizehq.com\/blog\/"},{"@type":"ListItem","position":2,"name":"The Guide to Data Processing Agreements"}]},{"@type":"Person","@id":"https:\/\/www.harmonizehq.com\/blog\/#\/schema\/person\/3715fd9ea2cd87fea82eee5a5ddfd297","name":"Author","image":{"@type":"ImageObject","@id":"https:\/\/www.harmonizehq.com\/blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/06a378c2b7451c6e70f3dff7caf1bbe6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/06a378c2b7451c6e70f3dff7caf1bbe6?s=96&d=mm&r=g","caption":"Author"},"url":"https:\/\/www.harmonizehq.com\/blog\/author\/author\/"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/posts\/730"}],"collection":[{"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/comments?post=730"}],"version-history":[{"count":1,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/posts\/730\/revisions"}],"predecessor-version":[{"id":735,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/posts\/730\/revisions\/735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/media\/734"}],"wp:attachment":[{"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/media?parent=730"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/categories?post=730"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.harmonizehq.com\/blog\/wp-json\/wp\/v2\/tags?post=730"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}