Commissioned Data Processing Agreement Template for the United States
Generate a bespoke document
What is a Commissioned Data Processing Agreement?
The Commissioned Data Processing Agreement is essential when an organization (controller) engages another party (processor) to process personal data on its behalf. This agreement has become increasingly critical with the evolution of U.S. privacy laws and regulations at both federal and state levels. It addresses key requirements for data protection, defines responsibilities and liabilities, and ensures compliance with applicable privacy regulations. The agreement is particularly important in light of stringent state laws like CCPA and industry-specific regulations such as HIPAA and GLBA.
About the Commissioned Data Processing Agreement
A Commissioned Data Processing Agreement is a critical legal document that governs the relationship between a data controller and a data processor when personal information is shared for processing activities. Under the evolving landscape of United States privacy laws, this agreement ensures both parties understand their obligations and maintain compliance with applicable regulations while protecting individual privacy rights.
When do you need this document?
You need this agreement whenever your organization engages a third party to process personal data on your behalf. This includes situations where you hire cloud service providers, marketing agencies, payroll companies, or IT support firms that will access customer or employee information. The agreement is mandatory when operating under state privacy laws like CCPA or CPRA, and essential for any business relationship involving data sharing across state lines. You should execute this document before any personal data is transferred or processing begins, as it establishes the legal foundation for the entire data handling relationship.
Key legal considerations
The agreement must clearly define the scope and purpose of data processing, specifying what types of personal information will be processed and for what legitimate business purposes. Data security requirements are paramount, including obligations for encryption, access controls, and breach notification procedures. The processor's obligations section should address data retention periods, deletion requirements, and restrictions on further disclosure or use. Liability allocation clauses determine responsibility for regulatory fines, data breaches, and compliance failures. The agreement should include provisions for data subject rights fulfillment, such as access requests and deletion demands. Subprocessor arrangements require careful attention, as the primary processor remains liable for third-party actions. International data transfer provisions may be necessary if processing occurs across borders or involves foreign entities.
Legal requirements in United States
United States privacy law operates through a complex framework of state-level regulations, with California leading through CCPA and CPRA. These laws require explicit contractual protections when personal information is shared with service providers, including restrictions on use, retention, and further disclosure. Virginia's VCDPA, Colorado's CPA, Utah's UCPA, and Connecticut's CTDPA impose similar contractor agreement requirements with slight variations in scope and definitions. The agreement must address specific consumer rights under each applicable state law, including opt-out mechanisms and data portability requirements. Industry-specific regulations like HIPAA for healthcare data and GLBA for financial information may impose additional contractual obligations. Many state laws require that processing agreements include audit rights, allowing controllers to verify processor compliance with privacy obligations. The document should specify which state's privacy law governs the relationship and ensure compatibility with all applicable jurisdictions where either party operates.
GOVERNING LAW
Applicable law
This Commissioned Data Processing Agreement is drafted to comply with United States law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it