All Countries
Compliance
Commissioned Data Processing Agreement

Commissioned Data Processing Agreement Template for Netherlands

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Commissioned Data Processing Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Commissioned Data Processing Agreement

"I need a Commissioned Data Processing Agreement under Dutch law for my software company that will be processing customer data for multiple EU-based retail clients, including special categories of personal data, with potential sub-processors in India."

Celebrated by
Collaborations with
Investors
Document background
A Commissioned Data Processing Agreement is required under Article 28 GDPR whenever an organization (controller) engages another party (processor) to process personal data on its behalf. This document, governed by Dutch law, establishes the mandatory framework for such processing activities, ensuring compliance with both GDPR and Dutch data protection requirements. It details the processor's obligations, security measures, data handling procedures, and compliance mechanisms. The agreement is essential for Dutch businesses and international organizations processing personal data in the Netherlands, as it incorporates specific requirements from the Dutch GDPR Implementation Act (UAVG) and guidance from the Dutch Data Protection Authority. The Commissioned Data Processing Agreement should be put in place before any processing activities commence and should be regularly reviewed to ensure continued compliance with evolving data protection standards.
Suggested Sections

1. Parties: Identification of the data controller and data processor, including full legal names, registration numbers, and authorized representatives

2. Background: Context of the processing relationship, reference to main service agreement, and purpose of this DPA

3. Definitions: Definitions of key terms used in the agreement, including those from GDPR Article 4 and additional contract-specific terms

4. Scope and Purpose of Processing: Detailed description of the processing activities, categories of data subjects, and types of personal data

5. Duration and Termination: Term of the agreement, termination conditions, and data handling upon termination

6. Processor Obligations: Core obligations of the processor including processing only on documented instructions, confidentiality, security measures, and data breach notification

7. Sub-processing: Conditions and requirements for engaging sub-processors, including authorization process and obligations

8. Data Subject Rights: Processor's obligations to assist controller in responding to data subject requests

9. Security Measures: Technical and organizational measures required to ensure appropriate security of processing

10. Audit Rights: Controller's audit rights and processor's obligations to demonstrate compliance

11. Data Transfers: Rules and safeguards for international data transfers, including to countries outside the EEA

12. Liability and Indemnification: Allocation of liability between parties and indemnification obligations

13. Governing Law and Jurisdiction: Specification of Dutch law as governing law and jurisdiction for disputes

Optional Sections

1. Insurance Requirements: Specific insurance obligations for the processor, recommended when processing sensitive or high-risk data

2. Business Continuity: Requirements for business continuity and disaster recovery, important for critical processing activities

3. Special Categories of Data: Additional safeguards for processing special categories of personal data under Article 9 GDPR

4. Data Protection Impact Assessment: Cooperation requirements for DPIAs, necessary when processing is likely to result in high risk

5. Joint Controller Provisions: Additional provisions when parties act as joint controllers for certain processing activities

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of processing activities, including purposes, categories of data subjects and personal data

2. Schedule 2 - Technical and Organizational Measures: Detailed description of security measures implemented by the processor

3. Schedule 3 - Approved Sub-processors: List of pre-approved sub-processors and their processing activities

4. Schedule 4 - Transfer Mechanisms: Details of transfer mechanisms used for international data transfers

5. Appendix A - Data Breach Notification Protocol: Detailed procedures for notifying and handling data breaches

6. Appendix B - Security Audit Requirements: Specific requirements and procedures for security audits

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
Applicable Data Protection Law
Authoriteit Persoonsgegevens
Authorized Sub-processor
Controller
Data Protection Impact Assessment
Data Subject
Data Subject Rights
EEA
GDPR
Information Security Incident
Main Agreement
Personal Data
Personal Data Breach
Processing
Processor
Processor Personnel
Professional Services
Representative
Restricted Transfer
Security Measures
Services
Special Categories of Personal Data
Standard Contractual Clauses
Sub-processor
Supervisory Authority
Technical and Organizational Measures
Term
Third Country
UAVG
Working Day
Relevant Industries

Technology and Software

Healthcare

Financial Services

Professional Services

E-commerce

Education

Manufacturing

Telecommunications

Human Resources

Marketing and Advertising

Cloud Services

Research and Development

Logistics and Transportation

Retail

Insurance

Relevant Teams

Legal

Compliance

Information Security

IT

Privacy

Risk Management

Procurement

Data Protection

Information Governance

Vendor Management

Relevant Roles

Data Protection Officer

Privacy Officer

Legal Counsel

Compliance Manager

Information Security Officer

IT Director

Chief Technology Officer

Chief Information Security Officer

Privacy Manager

Contract Manager

Procurement Manager

Risk Manager

General Counsel

Chief Legal Officer

Data Protection Specialist

Industries
General Data Protection Regulation (GDPR): EU's comprehensive data protection law that sets requirements for personal data processing, including specific provisions for data processing agreements (Article 28 GDPR)
Dutch GDPR Implementation Act (UAVG): Dutch national law implementing and supplementing the GDPR, providing specific Dutch requirements for data processing
Dutch Civil Code (Burgerlijk Wetboek): Provides the legal framework for contract formation, validity, and enforcement in the Netherlands
Dutch Telecommunications Act (Telecommunicatiewet): Relevant for data transmission aspects and electronic communication requirements
Dutch Data Protection Authority Guidelines: Practical guidelines and interpretations issued by the Autoriteit Persoonsgegevens for data processing agreements
Dutch Constitution Article 10: Fundamental right to privacy protection under Dutch law, which underlies data protection requirements
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Joint Controller Data Processing Agreement

Dutch law-governed Joint Controller Data Processing Agreement establishing GDPR-compliant framework for shared data processing responsibilities.

find out more

Controller To Controller Agreement GDPR

A Dutch law-governed agreement establishing GDPR-compliant data sharing arrangements between two independent data controllers.

find out more

Dpa Data Privacy Agreement

Dutch law-governed Data Processing Agreement establishing GDPR-compliant terms for personal data processing between controller and processor.

find out more

Commissioned Data Processing Agreement

Dutch law-governed Data Processing Agreement establishing GDPR-compliant terms for personal data processing between controller and processor.

find out more

Supplier Data Processing Agreement

A Dutch law-governed data processing agreement establishing GDPR-compliant terms between a company and its supplier for personal data processing activities.

find out more

Data Privacy Addendum

A Dutch law-governed Data Privacy Addendum establishing GDPR-compliant terms for personal data processing between controllers and processors.

find out more

Non Disclosure Agreement Data Protection

Dutch law-governed NDA with enhanced data protection provisions compliant with GDPR and local privacy regulations.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.