Data Protection Addendum (DPA)
This Data Protection Addendum (“DPA”) forms part of the agreement (the “Agreement”) between [Your Company Name] (“Data Controller”) and [Service Provider Name] (“Data Processor”) for the provision of services (“Services”) and addresses the processing of personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
This DPA is effective as of the date of signature of the Agreement and remains in force for the duration of the Agreement.
1. Definitions
- “Personal Data”: Any information relating to an identified or identifiable natural person (“Data Subject”).
- “Processing”: Any operation or set of operations performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or erasure.
- “Data Controller”: The entity that determines the purposes and means of processing Personal Data.
- “Data Processor”: The entity that processes Personal Data on behalf of the Data Controller.
- “Sub-Processor”: Any third party authorized by the Data Processor to process Personal Data on behalf of the Data Controller.
- “Data Subject Rights”: The rights of the individuals whose Personal Data is processed, as outlined in data protection laws.
2. Data Processing Obligations
2.1 Processing of Personal Data
The Data Processor agrees to process Personal Data solely for the purposes specified in the Agreement and only in accordance with the documented instructions of the Data Controller.
2.2 Categories of Personal Data
The types of Personal Data processed under this DPA may include, but are not limited to:
- Contact information (e.g., name, email address, phone number)
- Business data (e.g., inventory lists, IC models, BOM data)
- Technical data (e.g., IP addresses, browser types)
2.3 Purpose of Processing
The Data Processor is permitted to process Personal Data for the sole purpose of providing the services outlined in the Agreement, including but not limited to:
- Evaluating and processing component recovery requests
- Generating quotations or reports
- Managing business communications and customer support
3. Rights of Data Subjects
The Data Processor shall assist the Data Controller in responding to any requests from Data Subjects exercising their rights under GDPR or CCPA, including:
- Right to Access: Provide copies of the Personal Data the Data Controller holds.
- Right to Rectification: Correct any inaccurate or incomplete Personal Data.
- Right to Erasure: Delete Personal Data upon request, subject to applicable legal obligations.
- Right to Restriction of Processing: Restrict the processing of Personal Data if necessary.
- Right to Data Portability: Provide Personal Data in a structured, commonly used format.
- Right to Object: Allow Data Subjects to object to processing based on legitimate interests or direct marketing.
4. Security of Personal Data
4.1 Security Measures
The Data Processor shall implement appropriate technical and organizational measures to protect Personal Data from unauthorized access, disclosure, alteration, and destruction. These measures must be aligned with industry standards and applicable data protection laws.
4.2 Breach Notification
In the event of a data breach that affects Personal Data, the Data Processor shall notify the Data Controller without undue delay and cooperate fully with the Data Controller to mitigate any adverse effects.
5. Sub-Processors
5.1 Authorization of Sub-Processors
The Data Processor may engage Sub-Processors to perform certain services. The Data Processor will provide a list of any Sub-Processors used to process Personal Data and will obtain prior written consent from the Data Controller before adding or replacing any Sub-Processor.
5.2 Sub-Processor Obligations
The Data Processor shall ensure that all Sub-Processors are bound by contractual obligations that are at least as stringent as those outlined in this DPA. The Data Processor remains fully liable for the actions of any Sub-Processor.
6. Data Transfers
6.1 International Transfers
If Personal Data is transferred outside the European Economic Area (EEA) or other jurisdictions with strict data protection laws, the Data Processor shall ensure that such transfers are compliant with applicable data protection laws, including the use of appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
7. Data Retention
The Data Processor shall only retain Personal Data for as long as necessary to fulfill the purposes of processing outlined in the Agreement, and in accordance with applicable legal obligations. Upon termination of the Agreement, the Data Processor shall, at the Data Controller’s choice, either return or securely delete all Personal Data.
8. Audits and Inspections
The Data Controller has the right to audit the Data Processor’s compliance with this DPA by either conducting an internal review or engaging a third-party auditor. The Data Processor shall cooperate fully and provide access to necessary records and facilities to facilitate the audit.
9. Liability
The Data Processor acknowledges that it may be liable for any breach of this DPA and will indemnify the Data Controller against any claims, damages, or losses arising from such breaches, subject to the limits outlined in the Agreement.
10. Governing Law
This DPA is governed by the laws of [Insert Jurisdiction], without regard to conflict-of-law rules. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts in [Insert Jurisdiction].
11. Termination
Upon termination or expiration of the Agreement, the Data Processor shall immediately cease processing Personal Data and, at the Data Controller’s request, return or securely destroy all Personal Data in its possession.
12. Miscellaneous
12.1 Entire Agreement
This DPA constitutes the entire agreement between the parties with respect to data protection and supersedes all prior agreements or understandings regarding the processing of Personal Data.
12.2 Amendments
This DPA may only be amended in writing, signed by authorized representatives of both parties.