Subprocessor Agreement Template for Australia
Generate a bespoke document
What is a Subprocessor Agreement?
This Subprocessor Agreement is essential when an organization (processor) engaged by a data controller intends to delegate some or all of its data processing activities to another entity (subprocessor). The agreement is specifically designed for use in Australia, ensuring compliance with the Privacy Act 1988 (Cth) and Australian Privacy Principles. It outlines detailed requirements for data handling, security measures, breach notifications, and cross-border transfers. The document becomes necessary when establishing chain processing relationships and is particularly important for organizations handling sensitive personal data or operating in regulated industries. It includes specific provisions for Australian privacy law compliance, audit rights, data breach reporting, and data deletion/return procedures.
Frequently Asked Questions
Is a Subprocessor Agreement legally binding under Australian privacy law?
Yes, a Subprocessor Agreement is legally binding in Australia when properly executed. Under the Privacy Act 1988 and Australian Privacy Principles, data processors have legal obligations when delegating processing activities to third parties. The agreement creates enforceable contractual obligations between parties and helps ensure compliance with mandatory privacy requirements.
Can I be fined if my Subprocessor Agreement doesn't comply with Australian privacy laws?
Yes, non-compliance with Australian privacy laws can result in significant penalties. The Privacy Act 1988 allows for civil penalties up to $2.22 million for corporations and $444,000 for individuals for serious or repeated privacy breaches. Missing or inadequate subprocessor agreements can expose you to regulatory action by the Office of the Australian Information Commissioner.
How does a Subprocessor Agreement differ from a Data Processing Agreement in Australia?
A Data Processing Agreement establishes the relationship between a data controller and processor, while a Subprocessor Agreement governs when that processor further delegates activities to a third party (subprocessor). Under Australian law, both are required - the original processor remains liable to the controller and must ensure the subprocessor meets the same privacy obligations through the Subprocessor Agreement.
How long does it typically take to prepare a Subprocessor Agreement for Australian businesses?
A standard Subprocessor Agreement typically takes 1-3 weeks to prepare, depending on complexity and negotiation requirements. Simple templates can be customized in a few days, while agreements involving cross-border data transfers or sensitive personal information may require several weeks for proper privacy impact assessments and legal review under Australian Privacy Principles.
Which Australian Privacy Principles must be addressed in Subprocessor Agreements?
Subprocessor Agreements must address several Australian Privacy Principles, particularly APP 8 (cross-border disclosure), APP 11 (security safeguards), and APP 12 (access and correction). The agreement must ensure the subprocessor implements reasonable security measures, handles data breaches appropriately, and maintains the same level of protection required under Australian privacy law.
Common mistakes businesses make when drafting Subprocessor Agreements in Australia?
Common mistakes include failing to address cross-border data transfer requirements under APP 8, not specifying adequate security measures required by APP 11, and omitting clear breach notification procedures. Many businesses also forget to include data residency requirements, fail to address data retention periods, or don't properly define the scope of processing activities permitted under Australian law.
Can subprocessors transfer personal information overseas under Australian privacy law?
Subprocessors can transfer personal information overseas only with proper safeguards under APP 8 of the Privacy Act 1988. The Subprocessor Agreement must specify any permitted overseas transfers, ensure adequate protection in the receiving country, and may require individual consent or binding corporate rules. Cross-border transfers without proper compliance can result in significant penalties under Australian privacy law.
About the Subprocessor Agreement
A Subprocessor Agreement is a critical legal document that governs the relationship between a data processor and a third-party subprocessor when personal information handling is delegated. Under Australian privacy law, this agreement ensures that all parties maintain compliance with the Privacy Act 1988 and Australian Privacy Principles, establishing clear responsibilities for data protection throughout the processing chain.
When do you need this document?
You need a Subprocessor Agreement whenever your organization, acting as a data processor, intends to engage another entity to handle personal information on your behalf. This commonly occurs when cloud service providers subcontract data hosting, when marketing agencies engage specialized analytics firms, or when software companies use third-party payment processors. The agreement is also essential when international service providers process Australian personal data, ensuring cross-border transfer compliance. Organizations in healthcare, finance, and technology sectors particularly require these agreements due to their frequent use of specialized subprocessing services for customer data, transaction processing, and technical support functions.
Key legal considerations
The agreement must clearly define the scope of authorized processing activities and establish comprehensive data protection obligations. Security measures must meet Australian standards, including encryption requirements, access controls, and incident response procedures. Breach notification clauses should align with the Notifiable Data Breaches Scheme, requiring prompt notification to both the processor and relevant authorities. The agreement must address data retention and deletion requirements, ensuring personal information is only kept for necessary purposes. Audit rights and compliance monitoring provisions are essential, allowing regular assessment of the subprocessor's data handling practices. Liability and indemnification clauses should clearly allocate responsibility for privacy breaches and regulatory penalties between the parties.
Legal requirements in Australia
Under the Privacy Act 1988, organizations must ensure subprocessors handle personal information in accordance with Australian Privacy Principles. The agreement must include specific provisions for cross-border data transfers, ensuring adequate protection when personal information leaves Australia. Organizations must conduct due diligence on subprocessors' data protection capabilities and maintain oversight of their activities. The Security of Critical Infrastructure Act 2018 may impose additional requirements if the subprocessing involves critical infrastructure. The agreement should reference the Australian Information Commissioner's guidance on privacy compliance and include mechanisms for regulatory cooperation. For organizations handling health information, additional requirements under state and territory health privacy legislation may apply, requiring specific security and access control measures.
GOVERNING LAW
Applicable law
This Subprocessor Agreement is drafted to comply with Australia law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it