All Countries
Compliance
Commissioned Data Processing Agreement

Commissioned Data Processing Agreement Template for Austria

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Commissioned Data Processing Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Commissioned Data Processing Agreement

"I need a Commissioned Data Processing Agreement for our Austria-based healthcare software company that will be processing patient data on behalf of multiple hospitals, with strict security requirements and the possibility of transferring data to our backup servers in Switzerland, to be implemented by March 2025."

Celebrated by
Collaborations with
Investors
Document background
The Commissioned Data Processing Agreement is a mandatory legal document required under Article 28 of the GDPR and Austrian data protection law whenever an organization (controller) engages another party (processor) to process personal data on its behalf. This agreement is essential for ensuring compliance with European and Austrian data protection requirements, establishing clear lines of responsibility, and implementing appropriate safeguards for personal data processing. It must be in place before any data processing begins and should detail the scope, purpose, and nature of processing, along with technical and organizational measures for data protection. The agreement is particularly crucial in the Austrian context as it must comply with both GDPR and specific requirements under the Austrian Data Protection Act (DSG), including local regulatory guidance and enforcement practices.
Suggested Sections

1. Parties: Identification of the data controller and data processor, including full legal names and registration details

2. Background: Context of the processing relationship and purpose of the agreement

3. Definitions: Key terms used in the agreement, including GDPR-specific terminology

4. Subject Matter and Duration: Scope of processing activities and duration of the agreement

5. Nature and Purpose of Processing: Detailed description of processing activities and their intended purposes

6. Type of Personal Data and Categories of Data Subjects: Specification of personal data types and affected individuals

7. Obligations and Rights of the Controller: Controller's responsibilities, including instructions and monitoring rights

8. Processor's Obligations: Core processor duties including security measures, confidentiality, and subprocessing rules

9. Technical and Organizational Measures: Security measures implemented to ensure appropriate data protection

10. Sub-processing: Rules and procedures for engaging sub-processors

11. Data Subject Rights: Processor's assistance in responding to data subject requests

12. Data Breach Notification: Procedures and timeframes for reporting data breaches

13. Audit Rights: Controller's rights to audit and processor's obligations to demonstrate compliance

14. Data Return and Deletion: Obligations regarding data handling upon agreement termination

15. Liability and Indemnification: Allocation of responsibilities and liability between parties

16. Termination: Conditions and procedures for ending the agreement

17. Governing Law and Jurisdiction: Specification of Austrian law application and jurisdictional matters

Optional Sections

1. International Data Transfers: Required when personal data will be transferred outside the EEA, including appropriate transfer mechanisms

2. Special Categories of Data: Additional safeguards when processing sensitive personal data under Article 9 GDPR

3. Insurance Requirements: Specific insurance obligations for high-risk processing activities

4. Business Continuity and Disaster Recovery: Detailed procedures for ensuring continuous data availability and recovery

5. Performance Metrics and Service Levels: Specific processing performance requirements and measurement criteria

6. Costs and Remuneration: Financial terms if not covered in a separate service agreement

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of all processing activities, including data flows and purposes

2. Schedule 2 - Technical and Organizational Measures: Detailed security measures and controls implemented by the processor

3. Schedule 3 - Approved Sub-processors: List of pre-approved sub-processors and their processing activities

4. Schedule 4 - Transfer Mechanisms: Details of international transfer mechanisms if applicable

5. Schedule 5 - Contact Points and Escalation Procedure: Key contacts and procedures for operational and emergency communications

6. Appendix A - Data Categories and Processing Purposes: Detailed matrix of data types, processing purposes, and data subject categories

7. Appendix B - Security Breach Response Plan: Detailed procedures for handling and reporting data breaches

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Law
Austrian Data Protection Act
Authorized Sub-processor
Business Day
Controller
Data Subject
Data Protection Impact Assessment
EEA
GDPR
Group
Information Security Incident
Personal Data
Personal Data Breach
Processing
Processor
Processing Instructions
Regulatory Authority
Representative
Restricted Transfer
Services
Special Categories of Personal Data
Standard Contractual Clauses
Sub-processor
Supervisory Authority
Technical and Organizational Measures
Term
Third Country
Transfer Mechanisms
Working Day
Relevant Industries

Information Technology

Healthcare

Financial Services

E-commerce

Education

Professional Services

Cloud Services

Human Resources

Marketing and Advertising

Telecommunications

Research and Development

Manufacturing

Retail

Insurance

Consulting

Relevant Teams

Legal

Compliance

Information Security

Data Protection

IT Operations

Risk Management

Procurement

Information Technology

Privacy

Vendor Management

Operations

Information Management

Relevant Roles

Data Protection Officer

Privacy Officer

Legal Counsel

Compliance Manager

IT Security Manager

Chief Information Security Officer

Chief Technology Officer

Chief Legal Officer

Privacy Manager

Information Security Manager

Contract Manager

Risk Manager

Procurement Manager

Operations Director

Chief Information Officer

Data Protection Specialist

Compliance Officer

Privacy Counsel

Industries
General Data Protection Regulation (GDPR): EU Regulation 2016/679 that sets the primary framework for data protection and processing in the EU, particularly Article 28 which specifically deals with data processing agreements
Austrian Data Protection Act (DSG): National law implementing GDPR in Austria (Datenschutzgesetz), providing specific national requirements for data processing and protection
Austrian Civil Code (ABGB): Contains general contract law provisions applicable to service agreements and commissioned processing relationships
Austrian Data Protection Authority Guidelines: Specific guidelines and recommendations issued by the Austrian DPA (Datenschutzbehörde) regarding data processing agreements
EU Standard Contractual Clauses: If international data transfers are involved, the EU SCCs must be considered as part of the agreement
Austrian Telecommunications Act (TKG): May be relevant if the data processing involves electronic communications or telecommunications services
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Intra Group Agreement Data Protection

An Austrian law-governed agreement regulating data protection practices and compliance between group companies under GDPR and local data protection requirements.

find out more

Joint Controller Data Sharing Agreement

An Austrian law-governed agreement establishing joint controller arrangements for data sharing and processing under GDPR and local data protection requirements.

find out more

Commissioned Data Processing Agreement

An Austrian law-governed data processing agreement establishing controller-processor relationships under GDPR and local data protection requirements.

find out more

Data Privacy Addendum

An Austrian law-governed Data Privacy Addendum ensuring GDPR and Austrian DSG compliance for personal data processing activities.

find out more

Non Disclosure Agreement Data Protection

Austrian-law governed NDA with GDPR compliance focus, combining confidentiality and data protection requirements.

find out more

Data Protection Addendum

An Austrian law-governed addendum that establishes GDPR-compliant terms for personal data processing between controllers and processors.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.