GDPR Data Processing Addendum

GDPR Data Processing Addendum
(Client as CONTROLLER and Access as PROCESSOR)

This GDPR Data Processing Addendum (“Addendum”) is made between the Access company set forth in the client’s agreement (“Access”) and the client (“CLIENT/CONTROLLER”), collectively “the Parties”, and supplements the Master Agreement for Records Storage and Management Services and/or Service Agreement for Secure Destruction Services and/or Access service terms and conditions  at and or other agreement (the applicable agreement hereinafter referred to as the “Agreement”) entered into between Access and client pursuant to which Access is providing services for information/records storage and/or confidential destruction of records.

This Addendum is supplemental to the Agreement and shall apply only to the extent: (1) Access processes Personal Data of Data Subjects located in the EU/EEA or Switzerland on behalf of its client and such activities are subject to regulation in accordance with EU Data Protection Legislation or the EU General Data Protection Regulation (“GDPR”) (collectively the “EU Regulations”); and (2) the parties have not executed an addendum that complies with the EU Regulations.

This Addendum shall be effective as of the later of the effective date of the Agreement and May 25, 2018. Any claims brought under this Addendum will be subject to the terms and conditions, including exclusions and limitations, within the Agreement.

  1. DEFINITIONS. For the purposes of this Addendum:
    1. “Agreement” means the terms of service, terms and conditions, or Master Agreement between Access and CLIENT/CONTROLLER.
    2. “Controller” means the company, agency, or individual who determines the purposes and means of the processing of personal data. Under this Addendum, the CLIENT/CONTROLLER is the Controller.
    3. “Data Subject” means the identified or identifiable individual whose personal data is being processed.
    4. “EU Data Protection Legislation” means 1) prior to May 25, 2018, EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, or 2) on or after May 25, 2018, the EU General Data Protection Regulation (GDPR) as repealing the Directive 95/46/EC.
    5. “Personal Data” means any information relating to an identified or identifiable natural person (data subject) such as name, business or personal phone number, address or email address if not public, an identification number, location data, an online identifier, etc. processed by Access or an approved sub-processor on behalf of a CLIENT/CONTROLLER pursuant to an Agreement.
    6. “Processing” means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    7. “Processor” or “Data Processor” means the company, agency, or individual who processes the data based on the instructions of the Controller. Under this Addendum, Access is the Processor.
    8. “Sub-Processor” means any Processor engaged by Access for the purposes of carrying out specific processing activities on behalf of the Controller.
    9. “Supervisory Authority” or “Data Protection Authority” means any independent public authority appointed by a European Union Member State who is tasked with enforcing the EU Data Protection Legislation and is a main point of contact for reporting compliance.


2.1          Role of the Parties.  For the purposes of this Addendum: (i) CLIENT/CONTROLLER, as the Controller, engages Access as a Processor; or (ii) Where the CLIENT/CONTROLLER is a Processor, Access is hereby engaged as the client’s Sub-Processor. In such event client represents and warrants that it complies with all EU Regulations governing processors and has the legal authority and authorization from the controller to engage Access as a sub-processor. Each Party will comply with the applicable obligations and responsibilities under the EU Data Protection Legislation.


3.1          Details of Processing.  CLIENT/CONTROLLER will communicate in writing to the Access Compliance department (“the relevant Access Authority”) at the specific processing or transfer instructions in order for Access to fulfill its processing or transfer activities relating to Personal Data in accordance with these instructions.  Access will only allow processing by its employees or Sub-Processors of the Personal Data on behalf of and in accordance with the CLIENT/CONTROLLER’s written instructions, any existing Agreement between the Parties, and this Addendum, unless processing is required by a law or regulation to which Access is subject, in which case Access will inform the CLIENT/CONTROLLER of that legal requirement before the relevant processing of that Personal Data.  Access’ EU-U.S. Privacy Shield Framework self-certification applies to any transfers of Personal Data to Access under this Addendum from the EEA to the United States, to the extent such transfers are subject to EU Data Protection Legislation.  The duration of processing will be the same as the duration of the Agreement, except as otherwise agreed to in the Agreement or in writing by the Parties. Schedule A to this Addendum sets out certain information regarding Access’ processing of Personal Data as required by Article 28(3) of the GDPR.

CLIENT/CONTROLLER warrants and represents that it is and will at all times (i) remain duly and effectively authorized to give the instruction set out above, and (ii) have in place all fair processing notices and (where applicable) consent mechanisms for Data Subjects sufficient to ensure that all processing of Personal Data envisaged by this Addendum and each existing Agreement will be lawful and shall not contravene EU Data Protection Legislation.

3.2          Due Diligence.  Access will make available, on reasonable request, information necessary to demonstrate compliance with this Addendum or the EU Data Protection Legislation. Access shall immediately, to the extent reasonable, inform CLIENT/CONTROLLER if any instruction from CLIENT/CONTROLLER with respect to the processing of Personal Data under or in connection with this Addendum infringes EU Data Protection Legislation.

3.3          Audit.  Access will make reasonable efforts to allow for and contribute to an audit or inspection, conducted by the CLIENT/CONTROLLER or another auditor mandated by CLIENT/CONTROLLER, at their sole cost and expense, and approved by Access, during normal business hours, for the purpose of demonstrating compliance by Access with its obligations under EU Data Protection Legislation with respect to Personal Data.  CLIENT/CONTROLLER will provide, and will ensure that any mandated auditor provides, reasonable notice to Access prior to any audit.  During an audit, CLIENT/CONTROLLER or any mandated auditor will avoid causing damage, injury or disruption to Access’ facility, equipment or personnel.  The scope, timing, and duration of the audit will be agreed upon by Access and CLIENT/CONTROLLER; provided that CLIENT/CONTROLLER will not require audits or inspections to be carried out more frequently than once in any 12 month period and shall ensure that appropriate confidentiality provisions are agreed upon between the Access and any third party involved in audit or inspection. The information and audit rights set out in this Clause 3.3 only arise to the extent that the relevant existing Agreement does not otherwise provide the CLIENT/CONTROLLER with information and audit rights sufficient to meet the requirements of applicable EU Data Protection Legislation (including Article 28(3) of the GDPR).

3.4          Return or Destruction of Personal Data.  Upon termination of the Agreement between CLIENT/CONTROLLER and Access for any reason, Access will, to the extent technically feasible, delete or return all Personal Data to CLIENT/CONTROLLER in accordance with its instructions and subject to the applicable price schedule(s) in the Agreement.  Access will provide written certification that it has fully complied with the return or destruction of this Personal Data.  Notwithstanding the foregoing, Access may retain Personal Data to the extent required by law or regulation, provided that it ensures the confidentiality of retained Personal Data and that such Personal Data is only processed as required by law or regulation.

3.5          Reimbursement.  If allowed by law, CLIENT/CONTROLLER will pay Access for any costs arising from and time spent assisting the CLIENT/CONTROLLER in the areas as described in sections 3.2 through 3.4.  Expenses will be billed at costs.  Time will be charged at Access’ current professional rate.  Upon request, Access will provide this rate to CLIENT/CONTROLLER prior to the beginning of the audit.


4.1          Requests. Access will provide reasonable assistance to CLIENT/CONTROLLER with requests from data subjects or data protection authorities as required by EU Data Protection Legislation.  If a Data Subject contacts Access directly, Access will not provide any information and will direct the Data Subject to the CLIENT/CONTROLLER, except upon documented instruction of the CLIENT/CONTROLLER or as required by applicable laws or regulation.  CLIENT/CONTROLLER will be responsible for responding to the request, which might require the use of Access’ products or services. Taking into account the nature of the processing, Access will reasonably assist the CLIENT/CONTROLLER, using appropriate organizational and technical measures, with its obligations to respond to requests for exercising data subjects’ rights.

In its physical records services, Access may be limited in the assistance it can provide as the contents of each box is unknown to Access.  The CLIENT/CONTROLLER is responsible for the indexing of the box contents, and Access only has access to this index information provided by CLIENT/CONTROLLER.  If the CLIENT/CONTROLLER chooses to provide minimal indexing information, Access would not be able to determine if Data Subject information was contained in the box if the CLIENT/CONTROLLER asked for assistance with a Data Subject request. In such an instance where CLIENT/CONTROLLER provides minimal indexing information where a structured set of personal data cannot be searched or accessed by reference to relevant criteria, and accordingly are not part of a relevant filing system, GDPR requirements set forth in this Addendum would not apply.

4.2          Data Breach.  Access will promptly notify CLIENT/CONTROLLER about any actual breach of personal data.  Further, Access will assist CLIENT/CONTROLLER in collecting information about any actual breach of personal data, or in notifying the supervisory authority and data subjects of a data breach, pursuant to the GDPR.  CLIENT/CONROLLER agrees that, with regards to any communication with Data Subjects or Data Protection Authority relating to Personal Data, CLIENT/CONTROLLER will act in good faith, not misrepresent Access or its Sub-Processors or call them into disrepute, and, to the extent permitted by the relevant EU Data Protection Legislation, consult in advance with Access in relation to such communication.

4.3          Data Processing Impact Assessments (“DPIA”).  Access will provide commercially reasonable assistance with any DPIA and any required prior consultation with the Supervisory Authority which the CLIENT/CONTROLLER is required to undergo in order to comply with Articles 35 and 36 of the GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of processing and information available to Access.

4.4          Recordkeeping.  Access will provide reasonable assistance to CLIENT/CONTROLLER in maintaining its record of processing activities in accordance with Article 30 of the GDPR.  Access agrees to provide its own record of processing activities containing details specified in Article 30 if required by the GDPR.

4.5          Reimbursement.  If allowed by law, CLIENT/CONTROLLER will pay Access for any costs arising from and time spent assisting the CLIENT/CONTROLLER in the areas as described in sections 4.1, 4.3, and 4.4.  Expenses will be billed at costs.  Time will be charged at Access’ current professional rate.  Upon request, Access will provide this rate to CLIENT/CONTROLLER prior to the beginning of the audit.


5.1          Training.  Access will ensure that all employees with access to the Personal Data provided by CLIENT/CONTROLLER will receive security, privacy, and data protection training and instruction on their obligations and responsibilities in the processing of Personal Data.

5.2          Confidentiality.  Access will ensure that employees and Sub-Processors who have been assigned to perform the services required to process the Personal Data are aware of the legal obligation of confidentiality.


6.1          Measures. Access agrees to implement and maintain appropriate technical and organizational measures in relation to the processing of Personal Data by Access to ensure a level of security appropriate to the risks presented by such processing, in particular from a data breach, and in a manner that the processing will meet the requirements of the GDPR, including but not limited to Article 32.

6.2          Access to Personal Data.  Access will ensure that access to the Personal Data provided by CLIENT/CONTROLLER is limited to those employees engaged in the processing of the data.


7.1          Current Sub-Processors.  CLIENT/CONTROLLER hereby provides Access general permission to appoint Sub-Processors subject to sections 7.2 and 7.3. Access may continue to use Sub-Processors already engaged at the time of this Addendum.

7.2          Prior Authorization.  Before engaging new Sub-Processors, Access will provide written notification to CLIENT/CONTROLLER regarding the engagement or of all intended changes regarding the replacement or addition of Sub-Processors to allow for objections.

7.3          Controller Objection.  CLIENT/CONTROLLER may object in writing to a new Sub-Processor within five (5) calendar days after receipt of the written notification referenced in Section 7.2.   If the CLIENT/CONTROLLER objects on reasonable grounds, Access and CLIENT/CONTROLLER will discuss reasonable alternative solutions in good faith.  If no resolution is reached, Access will not appoint the new Sub-Processor and will seek an alternative new Sub-Processor, or if an alternative Sub-Processor is not found, CLIENT/CONTROLLER has the right to terminate its Agreement with Access in accordance with provisions of the Agreement.

7.4          Processing Obligations.  Access will ensure that Sub-Processors are aware of processing obligations under the Agreement and this Addendum and any applicable laws and regulations, including the GDPR.


Should any provision of this Addendum be invalid or unenforceable, then the remainder of the Addendum will remain valid and in force.

If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. This Addendum is entered into and becomes a binding part of the Agreement. 


Nature and Purpose of Processing

Access will process Personal Data as necessary to perform the services pursuant to the Agreement.

Duration of Processing

Access will process Personal Data for the duration of the Agreement.

Categories of Data Subjects

All categories determined by the CLIENT/CONTROLLER, including but not limited to:

prospects, clients, customers, vendors, employees or potential employees of clients

Types of Personal Data

Personal Data determined by the CLIENT/CONTROLLER, which may include all information relating to a person, including name, title, position, contact information,

an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.

Special Categories of Data (if appropriate) 

As determined by CLIENT/CONTROLLER. CLIENT/CONTROLLER represents and warrants that it complies with Article 9 of GDPR and Access is relying upon such compliance in processing such Personal Data at the direction of CLIENT/CONTROLLER.

Posted: September 25, 2018


Talk to an expert who can help you find the right solution.