Note: This is a model contract provision to be used in contracts with “processors” of “personal data” under the EU GDPR. This contract provision should be used when contractors do not offer GDPR language in their contracts.

EU GDPR Compliance. The University of Tennessee is subject to the European Union’s General Data Privacy Regulation [Regulation (EU) 2016/679] (the “GDPR”) when the University is a “controller” or “processor” of “personal data” from an individual “data subject” located in the European Union, as those terms are defined in the GDPR. The Contractor acknowledges and agrees that it is acting as a “processor” of “personal data” for the University under this Agreement and that all applicable requirements of the GDPR are incorporated by reference as material terms of this Agreement. The Contractor represents and warrants that (1) it is aware of and understands its compliance obligations as a “processor” under GDPR; (2) it has adopted a GDPR compliance policy/program, a copy of which has been provided to the University; (3) it will process “personal data” only in accordance with the University’s instructions; and (4) with regard to its obligations under this Agreement, it shall comply with all applicable requirements of the GDPR to the same extent as required for the University. Additionally, the Contractor shall indemnify and hold the University, its trustees, officers, and employees harmless from and against any claims, demands, suits, damages, penalties, fines, or costs arising from any violation of GDPR by the Contractor.

An editable Word document version of the Model EU GDPR Contract Provision.