This Sub Processing Agreement is essential when a processor (who processes personal data on behalf of a data controller) wishes to engage another entity (a sub-processor) to carry out specific processing activities. The agreement is specifically designed to comply with Danish legal requirements and the GDPR, particularly Article 28(4). It is used when the main processor wants to delegate some or all of its processing activities to another entity while ensuring that appropriate data protection safeguards are in place. The document includes detailed provisions on data security, confidentiality, data subject rights, breach notification, and audit requirements. It's particularly important in the Danish context as it must comply with both the Danish Data Protection Act (Databeskyttelsesloven) and broader EU requirements, making it suitable for both domestic and international sub-processing arrangements involving Danish entities.
Create a bespoke document in minutes, or upload and review your own.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Key Requirements PROMPT example:
Sub Processing Agreement
I need a Sub Processing Agreement for our Danish cloud services company to engage a US-based data analytics provider, ensuring GDPR compliance and including standard contractual clauses, with the agreement to commence from March 1, 2025.
1. Parties: Identification of the main processor (as customer) and the sub-processor (as service provider), including their legal representatives
2. Background: Context of the agreement, reference to the main processing agreement, and the purpose of engaging a sub-processor
3. Definitions: Key terms used in the agreement, including GDPR-specific terminology and agreement-specific definitions
4. Scope and Purpose: Detailed description of the processing activities to be carried out by the sub-processor
5. Duration: Term of the agreement, including commencement date and termination provisions
6. Sub-processor Obligations: Core obligations including processing only on documented instructions, confidentiality, security measures, and data breach notification requirements
7. Technical and Organizational Measures: Security measures implemented to ensure appropriate level of data protection
8. Assistance to Processor: Sub-processor's obligations to assist the main processor in fulfilling its obligations to the controller
9. Audit Rights: Provisions for conducting audits and inspections of sub-processor's facilities and practices
10. Data Breach Management: Procedures for handling and reporting personal data breaches
11. Data Transfer Mechanisms: Rules for international data transfers and ensuring adequate protection
12. Liability and Indemnification: Allocation of liability and indemnification obligations between parties
13. Termination: Conditions for termination and obligations upon termination including data deletion or return
14. Governing Law and Jurisdiction: Specification of Danish law as governing law and jurisdiction for disputes
1. Sub-sub-processors: Include when the sub-processor may need to engage additional sub-processors, specifying authorization requirements and obligations
2. Special Categories of Data: Include when processing involves sensitive personal data, specifying additional safeguards
3. Data Protection Impact Assessment: Include when processing is likely to result in high risk to rights and freedoms of natural persons
4. Insurance Requirements: Include when specific insurance coverage is required for data processing activities
5. Business Continuity: Include when continuous service availability is critical, specifying disaster recovery and business continuity requirements
6. Exit Management: Include when complex transition arrangements are needed upon termination
1. Schedule 1 - Processing Activities: Detailed description of processing activities, including categories of data subjects, types of personal data, and processing purposes
2. Schedule 2 - Technical and Organizational Measures: Detailed description of security measures implemented by the sub-processor
3. Schedule 3 - Approved Sub-sub-processors: List of pre-approved sub-sub-processors, if any, including their locations and processing activities
4. Schedule 4 - Contact Points and Procedures: Contact details for key personnel and procedures for routine communications and emergencies
5. Schedule 5 - Audit Requirements: Specific procedures and requirements for conducting audits
6. Appendix A - Standard Contractual Clauses: If applicable, for international data transfers outside the EU/EEA
7. Appendix B - Service Level Agreement: Specific service levels and performance metrics for the sub-processing activities
Authors
Relevant legal definitions
Agreement
Applicable Data Protection Law
Authorized Sub-processor
Business Day
Controller
Data Subject
Danish Data Protection Act
EEA
EU Standard Contractual Clauses
GDPR
Main Processing Agreement
Personal Data
Personal Data Breach
Processing
Processor
Processing Instructions
Restricted Transfer
Services
Special Categories of Personal Data
Sub-processor
Technical and Organizational Measures
Term
Third Country
Supervisory Authority
Data Protection Impact Assessment
Records of Processing Activities
Confidential Information
Data Protection Officer
Data Minimization
Security Incident
Processing Location
Authorized Personnel
Exit Plan
Force Majeure Event
Intellectual Property Rights
Applicable Data Protection Law
Authorized Sub-processor
Business Day
Controller
Data Subject
Danish Data Protection Act
EEA
EU Standard Contractual Clauses
GDPR
Main Processing Agreement
Personal Data
Personal Data Breach
Processing
Processor
Processing Instructions
Restricted Transfer
Services
Special Categories of Personal Data
Sub-processor
Technical and Organizational Measures
Term
Third Country
Supervisory Authority
Data Protection Impact Assessment
Records of Processing Activities
Confidential Information
Data Protection Officer
Data Minimization
Security Incident
Processing Location
Authorized Personnel
Exit Plan
Force Majeure Event
Intellectual Property Rights
Clauses
Interpretation
Appointment
Duration
Scope of Processing
Processing Obligations
Confidentiality
Security
Data Protection
Sub-Processing
Audit Rights
Data Breach
International Transfers
Technical Requirements
Assistance and Cooperation
Record Keeping
Liability
Indemnification
Insurance
Force Majeure
Termination
Exit Management
Assignment
Notices
Variation
Severability
Entire Agreement
Governing Law
Jurisdiction
Data Subject Rights
Compliance
Warranties
Performance Standards
Business Continuity
Dispute Resolution
Appointment
Duration
Scope of Processing
Processing Obligations
Confidentiality
Security
Data Protection
Sub-Processing
Audit Rights
Data Breach
International Transfers
Technical Requirements
Assistance and Cooperation
Record Keeping
Liability
Indemnification
Insurance
Force Majeure
Termination
Exit Management
Assignment
Notices
Variation
Severability
Entire Agreement
Governing Law
Jurisdiction
Data Subject Rights
Compliance
Warranties
Performance Standards
Business Continuity
Dispute Resolution
Relevant Industries
Information Technology
Cloud Services
Financial Services
Healthcare
E-commerce
Telecommunications
Professional Services
Manufacturing
Education
Research and Development
Digital Marketing
Human Resources Services
Relevant Teams
Legal
Compliance
Information Security
IT
Procurement
Risk Management
Data Protection
Vendor Management
Operations
Privacy
Relevant Roles
Data Protection Officer
Privacy Officer
Legal Counsel
Compliance Manager
Information Security Manager
IT Director
Procurement Manager
Contract Manager
Risk Manager
Chief Technology Officer
Chief Information Security Officer
Data Protection Specialist
Privacy Lawyer
Vendor Manager
Operations Director
Find the exact document you need
Joint Controller Agreement
A Danish law-governed agreement establishing responsibilities between joint controllers under GDPR Article 26 for shared data processing activities.
find out more
DPA Contract
Danish law-governed Data Processing Agreement establishing GDPR-compliant terms for personal data processing between controller and processor.
find out more
DPA Addendum
A Danish law-compliant Data Processing Agreement Addendum that establishes GDPR-aligned terms for personal data processing activities.
find out more
Data Processing Addendum DPA
A Danish law-compliant Data Processing Addendum establishing terms for personal data processing between controller and processor, ensuring GDPR and Danish Data Protection Act compliance.
find out more
Controller To Controller Data Processing Agreement
Danish law-governed agreement between two independent data controllers for sharing personal data in compliance with GDPR and Danish data protection requirements.
find out more
Data Controller To Data Controller Agreement
A Danish law-governed agreement establishing terms for personal data sharing between two independent data controllers under GDPR and Danish data protection requirements.
find out more
Intercompany Data Processing Agreement
Danish law-governed agreement regulating intra-group personal data processing activities in compliance with GDPR and Danish data protection requirements.
find out more
Controller To Controller DPA
Danish law-governed Controller-to-Controller DPA establishing framework for GDPR-compliant data sharing between independent controllers.
find out more
DPA Agreement
A Danish law-governed Data Processing Agreement establishing data handling obligations between controller and processor under GDPR and Danish data protection requirements.
find out more
Data Transfer Addendum
Danish law-governed addendum for ensuring GDPR-compliant personal data transfers between organizations, incorporating Danish and EU data protection requirements.
find out more
Controller Processor Agreement
A Danish law-governed agreement establishing data processing terms between a data controller and processor, ensuring GDPR compliance and following Danish regulatory requirements.
find out more
Sub Processing Agreement
A Danish law-governed agreement establishing terms for sub-processor's personal data processing activities, ensuring GDPR and local law compliance.
find out more
International Data Transfer Agreement
Danish law-governed International Data Transfer Agreement for compliant transfer of personal data from Denmark to non-EEA countries.
find out more
Data Protection Addendum
Danish law-governed Data Protection Addendum ensuring GDPR compliance and establishing data processing obligations between controller and processor.
find out more
Download our whitepaper on the future of AI in Legal
By providing your email address you are consenting to our Privacy Notice.
Genie’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; Genie’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our Trust Centre for more details and real-time security updates.
Read our Privacy Policy.