A Data Processing Addendum (DPA) is a mandatory legal document required whenever a company (data controller) engages another party (data processor) to process personal data on its behalf under Maltese jurisdiction. This document ensures compliance with Article 28 of the GDPR and Malta's Data Protection Act, establishing specific terms for data handling, security measures, and breach notifications. It should be used as a supplement to primary service agreements where personal data processing occurs, whether for cloud services, IT support, HR management, or any other service involving personal data processing. The DPA includes crucial details about processing activities, security requirements, sub-processor arrangements, and international data transfers, all aligned with Maltese and EU data protection requirements.

1. Parties: Identification of the Data Controller and Data Processor, including full legal names, registration details, and registered addresses

2. Background: Context of the relationship between parties and reference to the main agreement this DPA supplements

3. Definitions: Key terms used in the DPA, aligned with GDPR definitions and any additional specific terms

4. Scope and Purpose of Processing: Detailed description of what personal data will be processed and for what specific purposes

5. Duration of Processing: Timeframe for the data processing activities and alignment with the main agreement

6. Nature and Purpose of Processing: Specific details about how the data will be processed and the legitimate basis for processing

7. Obligations of the Data Processor: Core responsibilities of the processor including security measures, confidentiality, and breach notification

8. Rights and Obligations of the Data Controller: Controller's responsibilities, including instructions for processing and audit rights

9. Sub-processing: Conditions and requirements for engaging sub-processors

10. International Data Transfers: Rules and safeguards for transferring data outside the EEA

11. Data Subject Rights: Procedures for handling data subject requests and processor's assistance obligations

12. Data Security: Technical and organizational security measures required

13. Data Breach Notification: Procedures and timeframes for reporting data breaches

14. Audit Rights: Controller's rights to audit and processor's obligations to demonstrate compliance

15. Liability and Indemnification: Allocation of responsibility and liability between parties

16. Termination: Conditions for termination and data handling upon termination

17. Governing Law and Jurisdiction: Confirmation of Maltese law governance and jurisdiction