Data Processing Agreement (Ghana)
Data Processing Agreement
This Data Processing Agreement (this "Agreement") is entered into on [Agreement Date] between:
DATA CONTROLLER: [Controller Name], DPC registration number [Controller DPC Reg], having its registered address at [Controller Address] (the "Controller"); and
DATA PROCESSOR: [Processor Name], DPC registration number [Processor DPC Reg], having its registered address at [Processor Address] (the "Processor").
This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with Section 37 of the Data Protection Act 2012 (Act 843).
1. Subject Matter and Details of Processing
Subject matter: [Processing Subject]
Nature of processing operations: [Processing Nature]
Purpose of processing: [Processing Purpose]
Duration: [Agreement Duration]
Types of personal data: [Data Categories]
Categories of data subjects: [Subject Categories]
2. Processor Obligations
The Processor shall process personal data only on the documented instructions of the Controller and shall not process personal data for any other purpose.
The Processor shall ensure that all persons authorised to process the personal data are subject to a binding confidentiality obligation.
The Processor shall implement appropriate technical and organisational security measures to protect personal data against unauthorised access, loss, or destruction, in accordance with the Cybersecurity Act 2020 (Act 1038) and the guidelines of the Cyber Security Authority (CSA).
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject access requests under Section 10 of Act 843 and other data subject rights requests.
The Processor shall notify the Controller without undue delay, and in any event within [Breach Notification Period] of becoming aware of a personal data breach, in accordance with Section 30 of Act 843.
Sub-processor engagement permitted: [Sub-Processor Consent]. Where permitted, the Processor must impose on any sub-processor the same data protection obligations as those set out in this Agreement.
3. International Data Transfers
Transfer of personal data outside Ghana: [International Transfer].
4. Termination and Data Return
Upon termination or expiry of this Agreement, the Processor shall: [Data Return Method].
The Processor shall provide the Controller with written confirmation of the return or deletion of all personal data within 30 days of termination.
5. Controller Rights
The Controller has the right to audit the Processor's compliance with this Agreement and with the Data Protection Act 2012 (Act 843) at any time on reasonable notice.
The Controller may issue updated processing instructions to the Processor at any time, and the Processor shall comply with such instructions without undue delay.
6. Governing Law
This Agreement is governed by the laws of the Republic of Ghana. Any dispute shall be referred to the High Court (Commercial Division), Accra, or resolved through alternative dispute resolution under the Alternative Dispute Resolution Act 2010 (Act 798).
Signatures
IN WITNESS WHEREOF the Parties have executed this Data Processing Agreement on [Agreement Date].
Data Controller
________________
Signature
Data Processor
________________
Signature
What Is a Data Processing Agreement (Ghana)?
A Data Processing Agreement in Ghana governs the relationship between the parties by fixing what each must do.
The Data Protection Act 2012 (Act 843) establishes the Data Protection Commission (DPC) as the supervisory authority in Ghana responsible for registering data controllers, investigating complaints, and enforcing data protection obligations. Every data controller that processes personal data of persons in Ghana must register with the DPC under Section 17 of Act 843 and comply with the data protection principles set out in Section 18, which include purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
A data controller is a person or organisation that, alone or jointly with others, determines the purposes and means of processing personal data. A data processor is a person or organisation that processes personal data on behalf of the data controller. Common examples of data processing relationships in Ghana include: a company using a payroll bureau to process employee salary data; a bank licensed by the Bank of Ghana (BoG) using a cloud service provider to store customer account data; a hospital using a health information management company to manage patient electronic health records; and an e-commerce company using a payment gateway provider to process customer payment card data.
The Electronic Transactions Act 2008 (Act 772) and the Cybersecurity Act 2020 (Act 1038) complement Act 843 by imposing security obligations on electronic processing of personal data. The Cyber Security Authority (CSA), established under Act 1038, regulates cybersecurity practices and may investigate data processors involved in cyber-incidents. The Data Processing Agreement (Ghana) must therefore address both Act 843 s.37 requirements and the applicable security standards under Act 1038.
A Data Processing Agreement in Ghana is distinct from a Data Sharing Agreement, which governs the transfer of personal data from one controller to another controller, rather than from a controller to a processor acting under the controller's instructions. Both documents are governed by Act 843, but a Data Processing Agreement specifically operationalises the controller-processor relationship required by Section 37.
The legal framework governing the Data Processing Agreement (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a Data Processing Agreement (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act 2012 (Act 843) sets the foundational requirements.
When Do You Need a Data Processing Agreement (Ghana)?
A Data Processing Agreement in Ghana is required in the following circumstances.
A Data Processing Agreement is needed whenever a data controller registered with the Data Protection Commission (DPC) under the Data Protection Act 2012 (Act 843) engages a third-party service provider to process personal data on its behalf, as Section 37 of Act 843 requires this processing to be governed by a written contract.
A Data Processing Agreement is required when a company incorporated under the Companies Act 2019 (Act 992) outsources its payroll processing to a payroll bureau, thereby causing the bureau to process employees' personal data including Ghana Card numbers, bank account details, SSNIT numbers, and salary information.
A Data Processing Agreement is needed when a bank licensed by the Bank of Ghana (BoG) engages a cloud computing service provider — whether based in Ghana or abroad — to host customer personal data, triggering both Act 843 s.37 and the Bank of Ghana's Technology Risk Management Guidelines.
A Data Processing Agreement is required when a healthcare provider engages a health information management company or electronic medical records (EMR) software provider to process patient personal health data, which constitutes sensitive personal data under Act 843 attracting heightened protection.
A Data Processing Agreement is needed when an e-commerce company or digital financial services provider engages a payment processor or fraud detection service provider that will process customer payment card data, personal identification data, or transaction data.
A Data Processing Agreement is required when a telecommunications operator licensed by the National Communications Authority (NCA) engages a customer relationship management (CRM) platform provider to process subscriber personal data including call records, location data, and billing information.
Parties in Ghana should execute a Data Processing Agreement before any processing of personal data by the processor commences, to confirm compliance with Act 843 s.37 and to allocate liability for data breaches between the controller and processor.
What to Include in Your Data Processing Agreement (Ghana)
A valid Data Processing Agreement in Ghana under the Data Protection Act 2012 (Act 843) s.37 must contain the following essential elements.
Parties: Full legal names and DPC registration numbers of both the data controller and the data processor; registered addresses in Ghana; and contact details of each party's Data Protection Officer (DPO) or designated data protection contact.
Subject Matter and Duration: A precise description of the personal data processing activities to be carried out by the processor on behalf of the controller; the duration of the agreement; and the scheduled return or deletion of personal data upon termination.
Nature and Purpose of Processing: The specific processing operations — such as collection, storage, retrieval, analysis, transmission, or deletion — that the processor is authorised to perform; and the business purpose for which the controller requires the processing, consistent with the purpose for which the personal data was originally collected.
Types of Personal Data and Categories of Data Subjects: The categories of personal data to be processed — such as names, Ghana Card numbers, SSNIT numbers, financial data, health data, or biometric data; and the categories of data subjects whose data will be processed — such as customers, employees, or members of the public.
Processor Obligations: The processor's obligation to process personal data only on the documented instructions of the controller; to maintain confidentiality; to implement appropriate technical and organisational security measures under the Cybersecurity Act 2020 (Act 1038); to assist the controller in responding to data subject access requests under Section 10 of Act 843; to notify the controller without undue delay of any personal data breach under Section 30 of Act 843; and not to engage sub-processors without prior written consent of the controller.
Controller Rights: The controller's right to audit the processor's compliance; the controller's right to issue instructions regarding processing; and the controller's right to require deletion or return of personal data.
International Transfers: Where the processor is located outside Ghana or where processing involves cross-border data transfer, the agreement must address compliance with the Act 843 provisions on international data transfers and any applicable adequacy determinations or safeguards recognised by the DPC.
Additional compliance elements include: alignment with the Bank of Ghana (BoG) Technology Risk Management Guidelines for financial sector processors; sub-processor management provisions; and provisions for cooperation with DPC investigations. Forms-legal.com provides this template as a starting point for Ghana-compliant data processing documentation.
Additional compliance elements for a Data Processing Agreement (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/contracts/data-processing-agreement-ghana
"Data Processing Agreement (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/contracts/data-processing-agreement-ghana.
@misc{formslegal-data-processing-agreement-ghana,
author = {{Forms Legal}},
title = {Data Processing Agreement (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/contracts/data-processing-agreement-ghana}},
note = {Free legal document template}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes. Section 37 of the Data Protection Act 2012 (Act 843) requires that where a data controller engages a data processor to process personal data on its behalf, the processing must be governed by a written contract binding the processor to act only on the documented instructions of the controller. The written contract must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects involved, and the obligations and rights of the data controller. A data controller that engages a processor without a compliant written Data Processing Agreement is in breach of Act 843 and may be subject to enforcement action by the Data Protection Commission (DPC), including an enforcement notice and financial penalties. The DPC has the authority to investigate data controllers and processors and to require corrective measures.
Under the Data Protection Act 2012 (Act 843), a data controller is a person or organisation that, alone or jointly with others, determines the purposes and means of the processing of personal data. The data controller decides why personal data is collected and how it is used. A data processor, by contrast, is a person or organisation that processes personal data on behalf of and under the instructions of the data controller. The processor does not determine the purposes of processing; it merely carries out the instructions of the controller. Both the controller and the processor must be registered with the Data Protection Commission (DPC) under Section 17 of Act 843 if they process personal data in Ghana. The Data Processing Agreement (Ghana) is the written contract required by Act 843 s.37 to govern the relationship between the controller and the processor, making clear that the processor acts only under the controller's documented instructions.
A data processor in Ghana may engage sub-processors to assist with the processing of personal data on behalf of the data controller, but only with the prior written authorisation of the data controller, as required by the Data Protection Act 2012 (Act 843) and as should be expressly set out in the Data Processing Agreement. Where a processor engages a sub-processor, the processor must impose on the sub-processor the same data protection obligations as those imposed on the processor by the Data Processing Agreement, particularly regarding security measures, confidentiality, breach notification, and processing only on the controller's instructions. The processor remains fully liable to the data controller for the performance of the sub-processor's obligations under Act 843. The Data Processing Agreement (Ghana) should include a list of approved sub-processors or a mechanism for the controller to approve new sub-processors before engagement.
Under the Data Protection Act 2012 (Act 843) and the Cybersecurity Act 2020 (Act 1038), a data processor in Ghana must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. Relevant security measures include: encryption of personal data at rest and in transit; access controls limiting access to personal data to authorised personnel only; regular security testing and vulnerability assessments in accordance with the Cyber Security Authority's (CSA) guidelines under Act 1038; physical security measures protecting servers and devices containing personal data; incident response procedures enabling prompt detection and reporting of data breaches to the data controller; and staff training on data protection and information security. For processors handling financial data, the Bank of Ghana (BoG) Technology Risk Management Guidelines impose additional security requirements. The Data Processing Agreement (Ghana) should describe the specific security measures the processor commits to maintaining throughout the term of the agreement.
The Data Processing Agreement in Ghana must include a provision requiring the data processor to notify the data controller without undue delay — and in any event within a timeframe agreed in the contract, typically 24 to 48 hours — upon becoming aware of a personal data breach affecting personal data processed on behalf of the controller. This contractual obligation supports the data controller's own obligation under Section 30 of the Data Protection Act 2012 (Act 843) to notify the Data Protection Commission (DPC) of a personal data breach without undue delay. The processor's notification to the controller must include: a description of the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate volume of personal data records compromised; the likely consequences of the breach; and the measures taken or proposed to contain and mitigate the breach. The controller then uses this information to prepare the Data Breach Notification Form for submission to the DPC.
Upon termination or expiry of a Data Processing Agreement in Ghana, the data processor must, at the choice of the data controller, either return all personal data to the data controller or securely delete all personal data held by the processor, in accordance with the data controller's instructions and the requirements of the Data Protection Act 2012 (Act 843). The processor must also delete or return any copies in the possession of sub-processors engaged under the agreement. The processor should provide the data controller with written confirmation of deletion or return within the timeframe specified in the Data Processing Agreement. Retention of personal data by the processor beyond the term of the agreement, without the controller's instructions or a legal basis under Act 843, constitutes a breach of the Act and may result in enforcement action by the Data Protection Commission (DPC). The Data Processing Agreement (Ghana) should specify the format of data return and the deletion standard to be applied.
Where a Data Processing Agreement in Ghana involves the transfer of personal data outside Ghana — for example, to a cloud service provider with servers in Europe, the United States, or another African country — the agreement must address compliance with the cross-border transfer provisions of the Data Protection Act 2012 (Act 843). Act 843 permits international transfers where the recipient country provides an adequate level of data protection, or where the data controller has implemented appropriate safeguards such as standard contractual clauses approved by the Data Protection Commission (DPC). The DPC is responsible for making adequacy determinations and publishing guidance on approved transfer mechanisms. Where personal data of Ghanaian data subjects is transferred to an EU-based processor, the agreement must also address any applicable requirements under the EU General Data Protection Regulation (GDPR). The Data Processing Agreement (Ghana) should include a dedicated section on international transfers and specify the legal basis and safeguards applied to each cross-border transfer.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Breach Notification Form (Ghana)
A Data Breach Notification Form for Ghana under the Data Protection Act 2012 (Act 843) s.30, used to notify the Data Protection Commission and affected data subjects of a personal data breach.
Data Protection Compliance Form (Ghana)
A Data Protection Compliance Form for Ghana under the Data Protection Act 2012 (Act 843) s.22, used by data controllers to document their compliance with data protection principles and registration obligations.