All Countries
Controller Processor Agreement

Controller Processor Agreement Template for Australia

Create a bespoke document in minutes,  or upload and review your own.

4.6 / 5
4.8 / 5

Let's create your Controller Processor Agreement

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get your first 2 documents free

Your data doesn't train Genie's AI

You keep IP ownership of your information

Key Requirements PROMPT example:

Controller Processor Agreement

"I need a Controller Processor Agreement for my Australian healthcare software company that will be processing patient data on behalf of multiple medical clinics, with the agreement starting in March 2025 and including specific provisions for handling sensitive health information."

Celebrated by
Collaborations with
Investors
Document background
The Controller Processor Agreement is essential for organizations operating in Australia that outsource the processing of personal data to third parties. This document is required when one party (the controller) engages another party (the processor) to perform data processing activities on its behalf. The agreement ensures compliance with the Privacy Act 1988, Australian Privacy Principles, and related privacy regulations. It details the scope of processing activities, security measures, data breach protocols, and compliance requirements. The document is particularly crucial given Australia's strict privacy regime and the significant penalties for non-compliance. It should be used whenever an organization engages external parties to process personal data, whether for cloud services, analytics, payroll processing, or other data handling activities.
Suggested Sections

1. Parties: Identification of the Data Controller and Data Processor, including full legal names and registered addresses

2. Background: Context of the agreement, relationship between parties, and purpose of data processing activities

3. Definitions: Detailed definitions of key terms used throughout the agreement, including 'Personal Data', 'Processing', 'Data Subject', etc.

4. Scope and Purpose of Processing: Detailed description of the authorized data processing activities and their specific purposes

5. Duration of Agreement: Term of the agreement, including commencement date and termination provisions

6. Nature and Purpose of Processing: Specific details about the types of processing activities and their intended purposes

7. Obligations of the Data Processor: Core responsibilities of the processor including processing only on documented instructions, confidentiality, security measures

8. Obligations of the Data Controller: Responsibilities of the controller including providing documented instructions and ensuring legal basis for processing

9. Security Measures: Technical and organizational security measures required to protect personal data

10. Sub-processing: Conditions and requirements for engaging sub-processors

11. Data Breach Notification: Procedures and timeframes for reporting data breaches

12. Audit Rights: Controller's rights to audit the processor's compliance and processor's obligations to assist

13. Data Subject Rights: Processor's obligations to assist controller in responding to data subject requests

14. Cross-border Data Transfers: Requirements and safeguards for international data transfers

15. Termination and Data Deletion: Procedures for agreement termination and subsequent handling of personal data

16. Governing Law and Jurisdiction: Specification of Australian law as governing law and jurisdiction for disputes

Optional Sections

1. Insurance Requirements: Specific insurance obligations for the processor - include when handling sensitive data or high-risk processing

2. Service Levels: Specific performance metrics and standards - include when processing requires specific response times or availability

3. Disaster Recovery: Detailed disaster recovery and business continuity requirements - include for critical data processing activities

4. Joint Controller Provisions: Provisions for scenarios where parties act as joint controllers - include when responsibilities overlap

5. Special Categories of Data: Additional requirements for processing sensitive data - include when handling health, biometric, or other sensitive data

6. Data Protection Impact Assessment: Requirements for DPIAs - include when processing poses high risks to individuals

7. Compensation and Liability: Detailed liability allocation and caps - include for high-value or high-risk processing

Suggested Schedules

1. Schedule 1 - Processing Activities: Detailed description of all processing activities, including categories of data subjects and personal data

2. Schedule 2 - Technical and Organizational Measures: Detailed security measures and controls implemented by the processor

3. Schedule 3 - Approved Sub-processors: List of pre-approved sub-processors and their processing activities

4. Schedule 4 - Transfer Mechanisms: Details of mechanisms used for international data transfers

5. Schedule 5 - Service Levels: Detailed service level agreements and performance metrics

6. Appendix A - Data Breach Response Plan: Detailed procedures for handling and reporting data breaches

7. Appendix B - Audit Requirements: Specific procedures and requirements for conducting audits

Authors

Alex Denne

Head of Growth (Open Source Law) @ Genie AI | 3 x UCL-Certified in Contract Law & Drafting | 4+ Years Managing 1M+ Legal Documents | Serial Founder & Legal AI Author

Linkedin in social icon imageX social icon image
alex.den.21@genieai.co
Relevant legal definitions
Agreement
APP Guidelines
Australian Privacy Principles
Authorised Person
Business Day
Business Hours
Commencement Date
Confidential Information
Controller
Data
Data Breach
Data Processing Schedule
Data Protection Laws
Data Subject
Data Subject Request
Disaster Recovery Plan
Effective Date
Information Commissioner
Initial Term
Intellectual Property Rights
Law
Notifiable Data Breach
OAIC
Personal Information
Personnel
Privacy Act
Privacy Laws
Processor
Processing
Prohibited Data
Representatives
Security Incident
Security Requirements
Sensitive Information
Services
Special Categories of Personal Information
Sub-processor
Technical and Organisational Measures
Term
Third Party
Clauses
Interpretation
Definitions
Scope of Processing
Duration
Data Protection Obligations
Security Requirements
Confidentiality
Sub-processing
Data Breach Notification
Audit Rights
Cross-border Transfer
Data Subject Rights
Liability
Indemnification
Insurance
Force Majeure
Termination
Data Deletion
Assignment
Notices
Variation
Severability
Entire Agreement
Governing Law
Dispute Resolution
Regulatory Compliance
Service Levels
Personnel Requirements
Warranties
Business Continuity
Intellectual Property
Non-solicitation
Change Control
Costs and Expenses
Relevant Industries

Technology and Software

Healthcare and Medical Services

Financial Services

Professional Services

E-commerce and Retail

Education

Telecommunications

Insurance

Manufacturing

Government and Public Sector

Cloud Services

Consulting

Marketing and Advertising

Research and Development

Human Resources Services

Relevant Teams

Legal

Compliance

Information Security

IT

Risk Management

Privacy

Data Protection

Procurement

Operations

Information Governance

Vendor Management

Data Governance

Relevant Roles

Chief Privacy Officer

Data Protection Officer

Privacy Manager

Legal Counsel

Compliance Officer

Information Security Manager

IT Director

Chief Information Security Officer

Risk Manager

Procurement Manager

Chief Technology Officer

Operations Manager

Chief Legal Officer

Privacy Analyst

Data Governance Manager

Contract Manager

Information Governance Officer

Industries
Privacy Act 1988 (Cth): The primary federal law governing privacy and personal data protection in Australia, including the Australian Privacy Principles (APPs) which set out standards for handling personal information
Privacy Amendment (Notifiable Data Breaches) Act 2017: Establishes mandatory data breach notification requirements for entities regulated by the Privacy Act
Australian Privacy Principles (APPs): 13 principles outlined in Schedule 1 of the Privacy Act that regulate the handling of personal information by Australian government agencies and organizations
Privacy Amendment (Enhancing Privacy Protection) Act 2012: Significant reform to the Privacy Act that introduced the APPs and enhanced privacy protections
State Privacy Laws: Various state-specific privacy laws that may apply depending on the jurisdiction (e.g., Victorian Data Sharing Act 2017, NSW Privacy and Personal Information Protection Act 1998)
Security of Critical Infrastructure Act 2018: May be relevant if the data processing involves critical infrastructure sectors or systems
Competition and Consumer Act 2010: Includes provisions related to unfair contract terms and consumer protection that may affect data handling agreements
Teams

Employer, Employee, Start Date, Job Title, Department, Location, Probationary Period, Notice Period, Salary, Overtime, Vacation Pay, Statutory Holidays, Benefits, Bonus, Expenses, Working Hours, Rest Breaks,  Leaves of Absence, Confidentiality, Intellectual Property, Non-Solicitation, Non-Competition, Code of Conduct, Termination,  Severance Pay, Governing Law, Entire Agreemen

Find the exact document you need

Personal Information Processing Agreement

An Australian law-governed agreement establishing terms for personal information processing between controllers and processors, ensuring compliance with the Privacy Act 1988 and APPs.

find out more

DPA Data Processing Addendum

An Australian-law compliant agreement that establishes terms for processing personal information under the Privacy Act 1988 and APPs, defining data handling obligations between controllers and processors.

find out more

Data Processing Agreement Addendum

An Australian-compliant addendum governing data processing responsibilities between controllers and processors under the Privacy Act 1988.

find out more

Joint Controller Agreement

An Australian law-governed agreement establishing rights and obligations between joint controllers of personal data under the Privacy Act 1988.

find out more

Intra Group Data Sharing Agreement

An Australian law-governed agreement regulating data sharing between entities within the same corporate group, ensuring compliance with privacy laws and data protection requirements.

find out more

Dpia Agreement

An Australian agreement governing the conduct of Data Protection Impact Assessments under the Privacy Act 1988 and related privacy laws.

find out more

Subprocessor Agreement

An Australian legal agreement governing data processing arrangements between a processor and subprocessor, ensuring compliance with Australian privacy laws and data protection requirements.

find out more

Master Data Protection Agreement

An Australian law-governed agreement establishing data protection obligations between parties, ensuring compliance with the Privacy Act 1988 and related privacy legislation.

find out more

Controller To Controller Data Processing Agreement

An Australian law-compliant agreement governing personal data sharing between two independent data controllers, ensuring Privacy Act 1988 and APP compliance.

find out more

Intra Group Data Transfer Agreement

An Australian law-compliant agreement governing data transfers between entities within the same corporate group, ensuring privacy law compliance and operational efficiency.

find out more

Data Management Agreement

An Australian law-governed agreement establishing data management and protection obligations between parties, ensuring compliance with Privacy Act 1988 and related legislation.

find out more

Intercompany Data Processing Agreement

An Australian law-governed agreement regulating data processing activities between related companies within the same corporate group.

find out more

Controller To Controller DPA

An Australian law-compliant agreement governing personal data sharing between two independent data controllers, ensuring Privacy Act compliance and data protection.

find out more

Intercompany Data Sharing Agreement

An Australian-law governed agreement for regulated data sharing between related corporate entities, incorporating privacy law compliance and data protection measures.

find out more

DPA Agreement

An Australian-law compliant agreement governing personal information processing between controllers and processors, ensuring adherence to the Privacy Act 1988 and APPs.

find out more

Third Party Data Processing Agreement

An Australian-compliant agreement governing the processing of personal information by third-party service providers under Privacy Act 1988 and APPs.

find out more

Data Transfer Addendum

An Australian law-compliant addendum governing data transfer arrangements between parties, ensuring compliance with the Privacy Act 1988 and APPs.

find out more

Supplier Data Processing Agreement

An Australian-law governed agreement setting out terms for processing personal information between an organization and its supplier, ensuring compliance with Australian privacy laws.

find out more

Controller Processor Agreement

An Australian law-compliant agreement governing the processing of personal data between a controller and processor, aligned with the Privacy Act 1988 and APPs.

find out more

Order Processing Agreement

An Australian-law governed agreement establishing terms for order processing services, including operational procedures, compliance requirements, and service levels.

find out more

Data Protection Agreement For Employees

An Australian-compliant employee data protection agreement establishing rights and obligations for handling personal information in the employment context.

find out more

Affiliate Addendum

An Australian law-governed addendum establishing terms and conditions for affiliate marketing relationships, including commercial terms and compliance requirements.

find out more

Sub Processing Agreement

An Australian-law governed agreement that establishes terms for sub-processing of personal data, ensuring compliance with privacy laws and data protection requirements.

find out more

International Data Transfer Agreement

An Australian law-compliant agreement governing cross-border data transfers, ensuring protection of personal information under the Privacy Act 1988 and APPs.

find out more

Data Transfer Agreement

An Australian law-governed agreement establishing terms for secure and compliant data transfer between organizations, ensuring adherence to Australian privacy regulations.

find out more

Download our whitepaper on the future of AI in Legal

By providing your email address you are consenting to our Privacy Notice.
Thank you for downloading our whitepaper. This should arrive in your inbox shortly. In the meantime, why not jump straight to a section that interests you here: https://www.genieai.co/our-research
Oops! Something went wrong while submitting the form.

Genie’s Security Promise

Genie is the safest place to draft. Here’s how we prioritise your privacy and security.

Your documents are private:

We do not train on your data; Genie’s AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

Our bank-grade security infrastructure undergoes regular external audits

We are ISO27001 certified, so your data is secure

Organizational security

You retain IP ownership of your documents

You have full control over your data and who gets to see it

Innovation in privacy:

Genie partnered with the Computational Privacy Department at Imperial College London

Together, we ran a £1 million research project on privacy and anonymity in legal contracts

Want to know more?

Visit our Trust Centre for more details and real-time security updates.

Read our Privacy Policy.