Intercompany Data Processing Agreement Template for the United States
Generate a bespoke document
What is a Intercompany Data Processing Agreement?
The Intercompany Data Processing Agreement serves as a critical compliance tool for organizations operating multiple entities that share and process personal data within their corporate structure. This agreement is essential when one group entity processes personal data on behalf of another entity within the same organization, particularly in the United States where various federal and state privacy laws apply. It addresses key requirements under US privacy regulations, establishes clear roles and responsibilities, and provides a framework for compliant data processing activities between affiliated entities.
About the Intercompany Data Processing Agreement
An Intercompany Data Processing Agreement is a specialized contract that governs how personal data is shared, processed, and protected between different entities within the same corporate group. When your organization operates multiple legal entities that handle personal data, you need clear contractual arrangements to ensure compliance with United States privacy laws and establish proper data governance frameworks.
When do you need this document?
You require an Intercompany Data Processing Agreement when your parent company collects customer data that subsidiaries need for service delivery, when shared service centers process employee or customer information for multiple group entities, or when data flows between entities for business intelligence and analytics purposes. This agreement is essential if your organization has entities in different states with varying privacy requirements, particularly when California entities share data with entities in other jurisdictions. You also need this document when consolidating data processing operations, implementing group-wide systems, or when regulatory audits require clear documentation of inter-entity data flows.
Key legal considerations
The agreement must clearly designate roles as data controller or processor, ensuring each entity understands its compliance obligations under applicable privacy laws. Data processing purposes must be specifically defined and limited to legitimate business needs, with provisions for data minimization and retention limits. Security requirements should align with industry standards and regulatory expectations, including incident response procedures and breach notification protocols. The agreement should address data subject rights, including how requests will be handled across entities, and establish mechanisms for data portability and deletion. Cross-border transfer provisions are crucial if entities operate in different jurisdictions, requiring appropriate safeguards and legal mechanisms for data transfers.
Legal requirements in United States
Under the FTC Act Section 5, your agreement must include provisions preventing unfair or deceptive data handling practices and ensure transparency in processing activities. HIPAA compliance requires specific safeguards for protected health information, including business associate provisions and technical safeguards for healthcare entities. Financial institutions must address GLBA requirements for customer financial information protection, including privacy notices and opt-out mechanisms. COPPA considerations apply when processing children's data, requiring enhanced consent mechanisms and data handling restrictions. State-level compliance with CCPA and CPRA requires detailed provisions for California resident rights, including specific disclosure requirements and opt-out mechanisms. VCDPA and other emerging state laws necessitate flexible frameworks that can accommodate evolving privacy requirements and ensure consistent protection standards across your organization's operations.
GOVERNING LAW
Applicable law
This Intercompany Data Processing Agreement is drafted to comply with United States law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it