Article 28, Section 3, details the eight themes that need to be addressed in a CCA. In summary, here`s what you need to include: ☐ the processor must take appropriate steps to ensure processing security; 1. The parties agree that in the event of a termination of the provision of data processing services at the data exporter`s choice, the data importer and the subcontractor service provider return all personal data transmitted and copies to the data exporter, or destroy all personal data and confirm to the data exporter that it has done so, unless legislation imposed on the data importer prevents it from returning or destroying all or part of the transferred personal data. In this case, the data importer guarantees the confidentiality of the personal data transmitted and no longer actively processes the personal data transmitted. A data processing agreement (DPA), also known as computer addendum, is a contract between computer controllers and data publishers or subprocessors. These agreements are designed to ensure that each company works in partnership in accordance with the RGPD or other applicable data protection laws to protect the interests of both parties. The clauses are governed by the law of the Member State in which the data exporter is established. ☐ given the nature of the processing and the information available, the subcontractor assists the processing manager in carrying out his RGPD obligations with respect to processing security, notification of personal data breaches and data protection impact analyses; If your company complies with the RGPD, all data processors you use should do the same, including a compliant data processing agreement. `personal data`, `specific categories of data`, `process/treatment`, `treatment`, `subcontractor`, `person concerned` and `supervisory authority` have the same meaning as in the European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with respect to the processing of personal data and the free movement of such data; c. If the data exporter intends to suspend the transfer of personal data and/or terminate the relevant parties in the services, it endeavours to inform the data importer and give the data importer a reasonable period of time to authorize non-compliance (”Cure Period”). There is no particular format, and controllers generally suggest their form of data processing agreement when hiring a processor. The essential condition is that the content of the data processing agreement is in line with the legal requirements of the RGPD and that the contracting parties are then free to determine the form or layout and, if necessary, the additional clauses they wish to include (. For example, data protection compensation, contacts of data protection delegates of one of the parties, and procedures for dealing with a breach of personal data subject to the personal data processing contract).