DPA — Regulatory Framework
Digital Personal Data Protection Act, 2023 (India) — Data Processor obligations EU General Data Protection Regulation (GDPR) — Article 28 (if applicable) UK GDPR — Article 28 (if applicable) IT (Reasonable Security Practices and Procedures) Rules, 2011 A Data Processing Agreement is mandatory when a Data Fiduciary engages a third-party Data Processor. Under the DPDP Act, Data Processors may process personal data only on documented instructions from the Data Fiduciary. GDPR-applicable entities must ensure processors provide sufficient guarantees (Art.28).
DATA PROCESSING AGREEMENT DPDP Act 2023 This Data Processing Agreement ("DPA" or "Agreement") is entered into on [Date], BETWEEN:
DATA FIDUCIARY (CONTROLLER)
Acme Technologies Pvt Ltd
Signatory: Rajesh Mehta , Chief Privacy Officer
Data Fiduciary registered address
DATA PROCESSOR
CloudServices Pvt Ltd
Signatory: Priya Kapoor , Chief Executive Officer
Data Processor registered address
The Data Fiduciary and the Data Processor are individually referred to as a "Party" and collectively as the "Parties".
SCHEDULE 1 — DETAILS OF PROCESSING
Nature of Processing Processing of customer contact data, usage analytics, and support tickets for the purpose of providing cloud CRM services.
Categories of Personal Data Name, email address, phone number, usage logs, support communication records
Categories of Data Subjects Customers, leads, support users
Processing Location(s) India (Mumbai), Singapore
DPA Term As per the underlying service agreement 1. Definitions
"Personal Data", "Data Fiduciary", "Data Processor", "Data Principal", "Consent", "Processing" shall have the meanings assigned to them under the Digital Personal Data Protection Act, 2023 ("DPDP Act").
2. Scope and Role of Parties
The Data Processor shall process personal data only for and on behalf of the Data Fiduciary, and only in accordance with the documented instructions of the Data Fiduciary as set out in this DPA and the underlying service agreement. The Data Processor shall not process personal data for any other purpose. If the Data Processor determines that an instruction infringes applicable data protection law, it shall promptly notify the Data Fiduciary.
3. Obligations of the Data Processor
The Data Processor shall: (a) process personal data only on documented instructions from the Data Fiduciary; (b) ensure that all personnel who process personal data are bound by appropriate confidentiality obligations; (c) implement and maintain appropriate technical and organisational security measures as specified in Schedule 2; (d) assist the Data Fiduciary in responding to Data Principals' rights requests under the DPDP Act within the applicable timelines; (e) make available all information necessary to demonstrate compliance with this DPA and cooperate with audits by the Data Fiduciary; (f) promptly notify the Data Fiduciary of any actual or suspected personal data breach.
4. Sub-Processors
The Data Processor shall not engage any sub-processor to process personal data on behalf of the Data Fiduciary without prior written consent. Where sub-processors are approved, the Data Processor shall ensure equivalent data protection obligations are imposed on them by written contract. The Data Processor remains fully liable to the Data Fiduciary for the acts and omissions of its sub-processors as if such acts and omissions were its own.
5. Security Measures
The Data Processor shall implement and maintain appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Such measures shall include at minimum: (a) encryption of personal data in transit and at rest; (b) access controls and multi-factor authentication for systems containing personal data; (c) regular security testing and vulnerability assessments; (d) employee training on data security; (e) incident response procedures.
6. Personal Data Breach Notification
The Data Processor shall notify the Data Fiduciary without undue delay, and in any event within 72 hours of becoming aware of a personal data breach involving the Data Fiduciary's personal data. The notification shall include: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate number of personal data records; (d) likely consequences; (e) measures taken or proposed. The Data Processor shall cooperate fully with the Data Fiduciary in investigating and responding to the breach.
7. Data Retention and Deletion
At the termination of this DPA or the underlying service agreement, or at any earlier time on the Data Fiduciary's written request, the Data Processor shall, at the Data Fiduciary's election: (a) securely delete all personal data and all copies thereof; or (b) return all personal data to the Data Fiduciary. The Data Processor shall certify in writing that deletion has been completed.
8. Audit Rights
The Data Processor shall, on reasonable written notice (not less than 14 days except in case of a breach or regulatory request), allow the Data Fiduciary or its authorised representative to conduct audits and inspections of the Data Processor's processing activities and security measures. The Data Processor shall cooperate with such audits and provide all requested documentation.
9. Liability and Indemnity
The Data Processor shall indemnify the Data Fiduciary for all losses, claims, damages, penalties, and regulatory fines arising from the Data Processor's breach of its obligations under this DPA or applicable data protection law, to the extent attributable to the Data Processor's acts or omissions.
10. Governing Law
This DPA shall be governed by the laws of India. Disputes shall be subject to the exclusive jurisdiction of the courts at Bengaluru .
IN WITNESS WHEREOF the Parties have executed this Data Processing Agreement on the date first written above.
DATA FIDUCIARY
Rajesh Mehta
Chief Privacy Officer
Acme Technologies Pvt Ltd
______________________
DATA PROCESSOR
Priya Kapoor
Chief Executive Officer
CloudServices Pvt Ltd
______________________