Data Processing Addendum Template for Belgium

The Data Processing Addendum (DPA) is essential for organizations engaged in processing personal data under Belgian jurisdiction. It is typically used as an annexure to a main service agreement when one party (the processor) processes personal data on behalf of another party (the controller). The DPA ensures compliance with Article 28 of the GDPR and the Belgian Data Protection Act of 2018, detailing specific requirements for data processing activities, security measures, breach notifications, and data subject rights. This document is particularly crucial in the Belgian context, where organizations must adhere to both EU-wide regulations and specific national implementation measures. The DPA includes provisions for technical and organizational measures, sub-processor management, international data transfers (where applicable), and audit rights, all aligned with Belgian legal requirements and supervisory authority guidelines.

1. Parties: Identification of the data controller and data processor, including full legal names, registration details, and addresses

2. Background: Context of the relationship between parties and purpose of the addendum in relation to the main agreement

3. Definitions: Definitions of key terms used in the DPA, aligned with GDPR Article 4 and Belgian Data Protection Act definitions

4. Scope and Purpose of Processing: Detailed description of the authorized data processing activities, categories of data subjects, and types of personal data

5. Obligations of the Data Processor: Core processor obligations under GDPR Article 28, including processing only on documented instructions, confidentiality, security measures, and sub-processor requirements

6. Technical and Organizational Measures: Security measures implemented to ensure appropriate level of data protection

7. Sub-processing: Conditions and requirements for engaging sub-processors, including authorization process and obligations

8. Data Subject Rights: Processor's obligations to assist controller in responding to data subject requests

9. Data Breach Notification: Procedures and timeframes for notifying controller of personal data breaches

10. Audit Rights: Controller's rights to audit processor's compliance and processor's obligations to contribute to audits

11. Data Return and Deletion: Obligations regarding return or deletion of personal data upon termination of services

12. Liability and Indemnification: Allocation of liability between parties and indemnification obligations

13. Term and Termination: Duration of the DPA and conditions for termination

14. Governing Law and Jurisdiction: Specification of Belgian law as governing law and jurisdiction for disputes