Data Processing Clause (GDPR) template clause

    Updated: 25 March 2026

    Please note: these example clauses are intended as a starting point, not as legal advice. Always adapt the text to your specific situation and have important contracts reviewed by a legal professional.

    Clause text

    Article [X] - Data Processing

    1. In the performance of this Agreement, the Processor shall process personal data solely on behalf of and under the instructions of the Controller, in accordance with the General Data Protection Regulation (GDPR) and applicable national implementing legislation.

    2. The processing concerns the following categories of personal data: [list, e.g. name, email address, job title, contract details] relating to the following categories of data subjects: [list, e.g. employees, customers, supplier contacts]. The processing is carried out for the following purposes: [list].

    3. The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including at a minimum:
    (a) encryption of personal data at rest and in transit;
    (b) access controls on a need-to-know basis;
    (c) periodic security audits and penetration tests;
    (d) a procedure for regularly testing and evaluating the effectiveness of the measures.

    4. The Processor shall not engage any sub-processor without the prior written consent of the Controller. The Processor shall impose on each sub-processor at least the same obligations as those set out in this Article.

    5. The Processor shall notify the Controller of a personal data breach within [number, e.g. 24] hours of becoming aware of it, specifying the nature of the breach, the data affected, the estimated scope, and the measures taken or proposed.

    6. Upon termination of this Agreement, the Processor shall, at the Controller's election, return or delete all personal data within [number] business days and confirm in writing that no copies have been retained, unless retention is required by law.

    What does this clause mean?

    A data processing clause sets out how an external party (the processor) handles personal data on behalf of your organisation. The General Data Protection Regulation (GDPR) requires you to have a data processing agreement with every party that processes personal data on your behalf. Failure to do so can result in fines of up to EUR 10 million or 2% of global annual turnover.

    Paragraph 3 contains specific security measures. The GDPR requires "appropriate technical and organisational measures" but deliberately leaves the details open. By specifying minimum requirements, you create a testable framework. According to Ironclad (2025), 92% of all contract management errors are human errors. A data processing clause with vague security commitments increases the risk that a data breach goes undetected for an unnecessarily long time.

    Paragraph 6 addresses the exit scenario: after the relationship ends, data must be returned or destroyed. Without this provision, your customer data could remain with a former supplier indefinitely.

    When should you use this clause?

    Use this clause in every agreement where an external party processes personal data on your behalf. This includes cloud providers, payroll administrators, CRM platforms, email marketing services, and contract management software.

    The clause can be included as an article in the main contract or as a separate schedule (data processing agreement). Research by Loio (2026) shows that [71% of contracts are never monitored for compliance after signing](/en/clm-statistics/). For data processing agreements, that is especially risky: supervisory authorities actively check whether organisations manage their processors properly. Record which suppliers process personal data and when their security measures were last reviewed.

    Customize these elements

    • 1Tailor the categories of personal data and data subjects to the actual data flows. The more specific, the better
    • 2Set the breach notification deadline shorter than the statutory 72-hour window to the supervisory authority, so you have time to assess and report
    • 3Consider including an audit right to periodically verify the processor's security measures
    • 4For international processors, include provisions on transfers outside the EEA, including the required safeguards (standard contractual clauses or adequacy decision)

    Sources

    Manage all your contract deadlines automatically

    Tracking Contracts alerts you well before every notice period. No spreadsheets, no missed renewals.

    Start free month