Effective from 18th January 2023
(Collectively referred to as the "Parties").
Effective Date: [Date of Agreement]
1. Definitions
1.1 "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.2 "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2. Scope of Processing
2.1 Purpose of Processing: The Controller engages the Processor to process Personal Data for the purpose of [Specify the purpose of data processing, e.g., "managing and tracking donations, communicating with donors, and providing donor support services"].
2.2 Types of Personal Data: The Personal Data processed may include, but is not limited to, the following categories: [List the types of Personal Data being processed, e.g., "names, addresses, email addresses, donation history"].
3. Data Security and Confidentiality
3.1 Security Measures: The Processor shall implement appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
3.2 Confidentiality: The Processor shall ensure that any personnel authorized to process Personal Data are subject to a duty of confidentiality.
4. Data Subject Rights
4.1 Assistance to Controller: The Processor shall assist the Controller in responding to requests from Data Subjects regarding their rights under applicable data protection laws.
5. Sub-Processors
5.1 Engagement of Sub-Processors: The Processor shall not engage any sub-processor without the prior written consent of the Controller.
6. Data Breach Notification
6.1 Notification Obligations: In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay after becoming aware of the breach.
7. Data Protection Impact Assessment and Prior Consultation
7.1 Assistance to Controller: The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and consultations with supervisory authorities, as required by applicable data protection laws.
8. Duration and Termination
8.1 Duration: This DPA shall remain in effect until terminated by either Party.
8.2 Termination: Either Party may terminate this DPA with immediate effect if the other Party breaches its material obligations under this DPA.
9. Governing Law
9.1 Governing Law: This DPA shall be governed by and construed in accordance with the laws of [Your Jurisdiction].
10. Miscellaneous
10.1 Entire Agreement: This DPA constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties.
IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the Effective Date.
For the Data Controller: