# Multi-Jurisdiction Data Processing Agreement (GDPR + CCPA + UK) > Draft an integrated Data Processing Agreement covering EU GDPR Article 28, EU Standard Contractual Clauses (SCCs), UK IDTA or UK Addendum, and US state privacy laws (CCPA/CPRA, CPA, VCDPA). Includes jurisdiction checker, SCC module selection, and Transfer Impact Assessment. Tags: Privacy, GDPR, CCPA, Data Protection, Legal, Cross-Border ## Example Prompts - Draft a DPA for our SaaS platform covering EU, UK, and California data flows - Add EU Standard Contractual Clauses to our existing DPA - Create a UK IDTA addendum for our international data transfers - Draft CCPA service provider terms alongside our GDPR processor agreement URL: https://rakenne.app/skills/multi-jurisdiction-dpa/index.md Try this skill: https://rakenne.app/a/?skill=multi-jurisdiction-dpa ## Overview Draft an integrated Data Processing Agreement covering EU GDPR Article 28, EU Standard Contractual Clauses (SCCs), UK IDTA or UK Addendum, and US state privacy laws (CCPA/CPRA, CPA, VCDPA, CTDPA). Includes jurisdiction checker, SCC module selection, and Transfer Impact Assessment. No single-regime DPA template handles multi-jurisdiction SaaS data flows correctly. A SaaS provider with EU, UK, and US customers needs GDPR Article 28 processor clauses, the correct EU SCC module with completed annexes, a UK IDTA or UK Addendum, CCPA/CPRA service provider terms, and potentially addenda for Colorado, Virginia, and Connecticut — all using consistent definitions. This skill produces one unified DPA covering all applicable regimes, with automatic jurisdiction detection and completeness validation. ## Getting Started Add your source materials to the project workspace — existing DPAs, data flow maps, subprocessor lists, security documentation, and privacy policy — then activate the *Multi-Jurisdiction Data Processing Agreement (GDPR + CCPA + UK)* skill. The agent will guide you through data flow profiling, jurisdiction determination, SCC module selection, and DPA drafting. ## Example Conversation Below is an example of how a typical multi-jurisdiction DPA session unfolds. The agent determines applicable regimes from data flows, selects the correct SCC module, and iteratively validates the DPA. > **You:** We need a DPA for our analytics SaaS platform, DataPulse. We have customers in Germany, France, the UK, and California. Our servers are in AWS us-east-1 (Virginia) and eu-west-1 (Ireland). > > **Agent:** I'll help you draft the multi-jurisdiction DPA. Based on those data flows, here's the initial jurisdiction analysis: > > | Data Subjects | Processing Location | Regime | Transfer Mechanism | > |---|---|---|---| > | Germany (EEA) | Ireland (EEA) | EU GDPR Art. 28 | Not needed (intra-EEA) | > | Germany (EEA) | Virginia (US) | EU GDPR Art. 28 + EU SCCs | Module 2 (C2P) required | > | France (EEA) | Ireland (EEA) | EU GDPR Art. 28 | Not needed (intra-EEA) | > | France (EEA) | Virginia (US) | EU GDPR Art. 28 + EU SCCs | Module 2 (C2P) required | > | UK | Virginia (US) | UK GDPR / DPA 2018 | UK IDTA or UK Addendum required | > | California | Virginia (US) | CCPA/CPRA | Service provider terms required | > > A few questions before I proceed: > > 1. Is DataPulse EU-US Data Privacy Framework (DPF) certified? If so, SCCs aren't strictly required for the EU→US transfer, but maintaining them as backup coverage is recommended. > 2. For the UK transfer — do you prefer a standalone UK IDTA or a UK Addendum to the EU SCCs? (The UK Addendum is shorter if you're already using EU SCCs.) > 3. Do you have customers in Colorado, Virginia, or Connecticut? Those states have privacy laws with processor contract requirements. > > **You:** Not DPF certified yet — we're working on it. Use the UK Addendum since we'll have EU SCCs anyway. No customers in those other states yet, just California. > > **Agent:** Good. I'll draft the DPA with: > - **Core DPA** with GDPR Article 28 clauses (all eight sub-clauses) > - **EU SCCs Module 2** (controller to processor) with Annexes I, II, and III > - **UK Addendum** to EU SCCs (Tables 1-4) > - **CCPA/CPRA service provider addendum** > - **Transfer Impact Assessment** for the EU/UK→US transfers > > Let me gather the details for Article 28. What categories of personal data does DataPulse process, and what are the processing purposes? > > **You:** We process website visitor behavioral data — IP addresses, device identifiers, page views, click patterns, session recordings. Purpose is analytics and conversion optimization for our customers. Our customers are the controllers. > > **Agent:** I've built the DPA JSON and run the jurisdiction checker. There are 2 errors: > > - **[ERROR]** EU SCCs Clause 17 governing law is not specified. Must be law of an EU member state. Since your EEA customers are in Germany and France, I'd recommend Irish law (your EU processing location) — shall I use that? > - **[ERROR]** GDPR Art. 28(3) sub-clause (f) not confirmed — assistance with breach notification, DPIAs (Art. 35), and prior consultation (Art. 36). > > There's also 1 warning about a missing TIA. Let me draft the Transfer Impact Assessment covering US surveillance law (FISA §702, CLOUD Act) and your supplementary measures. What encryption and access controls does DataPulse have in place for data at rest and in transit? ## Sample Output Excerpt Below is a representative excerpt from a generated DPA, showing the Article 28 processor obligations and the EU SCCs Annex I — the sections most frequently scrutinized by data protection authorities. --- ### 4. Processor Obligations (GDPR Article 28(3)) The Processor shall: **(a) Documented Instructions.** Process the Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. **(b) Confidentiality.** Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. **(c) Security (Article 32).** Implement and maintain appropriate technical and organisational measures as set out in Annex II to this DPA, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. **(d) Sub-Processing.** Not engage another processor without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object to such changes. The current list of approved sub-processors is set out in Annex III. **(e) Data Subject Rights.** Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR. **(f) Security, Breach Notification, DPIAs, and Prior Consultation.** Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. In particular: - **Article 33 (Breach Notification):** The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. This notification shall include, at minimum: the nature of the breach, the categories and approximate number of data subjects concerned, the likely consequences, and the measures taken or proposed to address the breach. The Processor acknowledges that the 72-hour notification clock under Article 33(1) runs from the Controller's obligation to the supervisory authority, not from processor to controller. - **Article 35 (DPIA):** The Processor shall provide the Controller with all information reasonably necessary to carry out data protection impact assessments. - **Article 36 (Prior Consultation):** The Processor shall cooperate with the Controller in any prior consultation with the supervisory authority. **(g) Deletion or Return.** At the choice of the Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data. **(h) Audit.** Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. --- ### Annex I to EU Standard Contractual Clauses (Module 2: Controller to Processor) **A. List of Parties** | Role | Entity | Address | Contact | Activities | |---|---|---|---|---| | Data exporter (Controller) | [Customer Entity Name] | [Address] | [DPO/Privacy Contact] | Collects website visitor data from its end users for analytics and conversion optimisation | | Data importer (Processor) | DataPulse, Inc. | 2100 Wilson Blvd, Arlington, VA 22201, USA | privacy@datapulse.example | Processes website visitor behavioural data to provide analytics dashboards and conversion insights to the data exporter | **B. Description of Transfer** | Element | Detail | |---|---| | Categories of data subjects | Website visitors and end users of the data exporter's online properties | | Categories of personal data | IP addresses, device identifiers, browser fingerprints, page view URLs, click coordinates, scroll depth, session recordings, timestamps | | Sensitive data | None transferred. Session recordings are configured to mask form fields and exclude health or financial data entry. | | Frequency of transfer | Continuous (real-time event streaming) | | Nature of processing | Collection, storage, pseudonymisation, aggregation, analysis, visualisation, deletion | | Purpose | Providing website analytics, user behaviour analysis, and conversion optimisation services | | Retention period | 13 months from collection, unless the data exporter configures a shorter retention period | **C. Competent Supervisory Authority** The competent supervisory authority is the Data Protection Commission (DPC) of Ireland, identified in accordance with Clause 13 of the EU SCCs, as the data exporter's lead establishment for processing activities is located in the EU and the DPC is the supervisory authority with competence. ## Built-in Validation The skill includes a jurisdiction checker that automatically detects which privacy regimes apply based on your data flows and validates that the DPA has all required provisions for each regime. The agent runs it after data flow profiling and again after drafting to catch gaps. ### What the validator checks | Check Category | What It Validates | Severity | |---|---|---| | **Data flows** | At least one data flow defined with subject and processing locations | ERROR if missing | | **EU GDPR Art. 28** | All eight sub-clauses (a)-(h) individually confirmed for EEA data subjects | ERROR per missing clause | | **EU SCCs** | Correct module (1-4), completed Annex I (parties, transfer description, supervisory authority), Annex II (specific TOMs), Annex III (subprocessors for Module 2) | ERROR / WARNING | | **EU SCCs Clause 17** | Governing law of an EU member state specified | ERROR if missing | | **EU-US DPF** | If DPF-certified, notes that SCCs are not strictly required but dual coverage recommended | INFO | | **UK transfer mechanism** | IDTA or UK Addendum present for UK→non-adequate transfers; correct type specified | ERROR if missing | | **UK DPF Extension** | Notes DPF UK Extension if indicated | INFO | | **CCPA/CPRA** | Service provider terms for California resident data subjects (triggered only for California, not all US) | ERROR if missing | | **Colorado CPA** | Processor addendum for Colorado residents | WARNING if missing | | **Virginia VCDPA** | Processor addendum for Virginia residents | WARNING if missing | | **Connecticut CTDPA** | Processor addendum for Connecticut residents | WARNING if missing | | **TIA** | Transfer Impact Assessment for cross-border transfers | WARNING if missing | | **Subprocessors** | At least one subprocessor listed (most SaaS has cloud infra) | WARNING if empty | | **Security measures** | Specific TOMs documented (not generic references) | WARNING if empty | ### Severity levels - **ERROR** — A mandatory legal element is missing. The DPA would not comply with the applicable regime without it. - **WARNING** — A recommended element is absent. May not render the DPA invalid but creates compliance risk or may draw regulator attention. - **INFO** — Informational notes, such as DPF certification status verification. ### Example validation output ``` ======================================================================== Multi-Jurisdiction DPA — Jurisdiction Check ======================================================================== Data flows analyzed: 4 Regimes detected: EU GDPR, UK GDPR / DPA 2018, CCPA/CPRA (California), EU SCCs required, UK transfer mechanism required --- Errors (must fix) --- [ERROR] EU SCCs Clause 17 governing law is not specified. Must be law of an EU member state that allows third-party beneficiary rights. [ERROR] GDPR Art. 28(3) requires all eight sub-clauses. Missing or not confirmed: - (f) Assist with Arts. 32–36 (security, breach notification, DPIAs, prior consultation) --- Warnings (should address) --- [WARNING] Cross-border transfer detected but no Transfer Impact Assessment (TIA) included. The EDPB Recommendations 01/2020 require a TIA before relying on SCCs. [WARNING] No security measures (TOMs) documented. Article 32 requires appropriate technical and organisational measures — these should be listed specifically, not by generic reference. ======================================================================== ``` The agent runs the jurisdiction checker automatically after profiling data flows and again after each major DPA section is drafted, so you always know which regimes are covered and which provisions still need attention. --- Back to [Skill Library](https://rakenne.app/skills/index.md)