Sub-Data Processor Agreement (Ghana)
Sub-Data Processor Agreement
This Sub-Data Processor Agreement (this "Agreement") is entered into on [Agreement Date] between:
PROCESSOR: [Processor Name] (Company Registration No. [Processor Registration No.]), of [Processor Address] (the "Processor"); and
SUB-PROCESSOR: [Sub-Processor Name], of [Sub-Processor Address] (the "Sub-Processor").
This Agreement is entered into in connection with the processing of personal data on behalf of [Data Controller Name] (the "Data Controller") and is governed by the Data Protection Act 2012 (Act 843) of Ghana and the Contract Act 1960 (Act 25).
1. Definitions
In this Agreement: "Act 843" means the Data Protection Act 2012 (Act 843) of Ghana; "DPC" means the Data Protection Commission established under Section 3 of Act 843; "Personal Data" has the meaning given in Section 97 of Act 843; "Processing" has the meaning given in Section 97 of Act 843; "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Appointment of Sub-Processor
The Processor appoints the Sub-Processor to process the following categories of Personal Data: [Data Categories].
The Sub-Processor shall process Personal Data only for the following purpose: [Processing Purpose], and only in accordance with the written instructions of the Processor and the Data Controller.
This appointment is for [Processing Duration] from the date of this Agreement, unless terminated earlier in accordance with Clause 9.
3. Obligations of the Sub-Processor
The Sub-Processor shall: (a) process Personal Data only on documented instructions from the Processor; (b) ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations; (c) implement technical and organisational security measures adequate to the risk of the processing, in accordance with Act 843 and any standards issued by the National Information Technology Agency (NITA); (d) assist the Processor in fulfilling its obligations to respond to data subject rights requests under Sections 18, 20, and 22 of Act 843; and (e) make available all information necessary to demonstrate compliance with Act 843 and cooperate with audits conducted by the Processor, the Data Controller, or the DPC.
The Sub-Processor shall register with the DPC if required under Section 16 of Act 843 and shall maintain its registration for the duration of this Agreement.
4. Further Sub-Processing
The Sub-Processor may engage further sub-processors [Further Sub-Processing Permission]. Any further sub-processor must be bound by a written agreement containing data protection obligations at least equivalent to those in this Agreement.
5. Personal Data Breach Notification
The Sub-Processor shall notify the Processor without undue delay, and in any event within 48 hours, upon becoming aware of a Personal Data Breach. The notification shall describe: (a) the nature of the breach; (b) the categories and approximate number of data subjects and Personal Data records affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach.
6. Cross-Border Transfers
The Sub-Processor shall not transfer Personal Data outside Ghana except with the prior written consent of the Processor and in compliance with the transfer restrictions under Act 843, including any adequacy assessment or safeguards approved by the DPC.
7. Return and Deletion of Personal Data
Upon expiry or termination of this Agreement, the Sub-Processor shall, at the election of the Processor, securely delete or return all Personal Data and confirm in writing that deletion has been completed, unless Ghanaian law requires continued retention.
8. Governing Law and Dispute Resolution
This Agreement is governed by the laws of the Republic of Ghana, including the Data Protection Act 2012 (Act 843) and the Contract Act 1960 (Act 25). Any dispute arising out of or in connection with this Agreement shall be referred to the [Governing Forum].
Signatures
IN WITNESS WHEREOF the Parties have executed this Sub-Data Processor Agreement on the date first written above.
Processor
________________
Signature
Sub-Processor
________________
Signature
What Is a Sub-Data Processor Agreement (Ghana)?
A Sub-Data Processor Agreement in Ghana records the obligations the parties accept and the terms governing their arrangement.
Ghana's data protection regime is administered by the Data Protection Commission (DPC), established under Section 3 of the Data Protection Act 2012 (Act 843). The DPC registers data controllers and data processors, issues guidelines on lawful processing, investigates complaints, and imposes administrative penalties for breaches of Act 843. Every entity in the processing chain — data controller, processor, and sub-processor — bears obligations directly under Act 843. The Sub-Data Processor Agreement documents how the sub-processor will meet those obligations in respect of the personal data it handles.
Personal data is defined broadly under Section 97 of Act 843 to include any information relating to an identified or identifiable individual. This includes names, contact details, identification numbers issued by the Ghana Revenue Authority (GRA) or Electoral Commission, financial account information, medical records, biometric data, and employee records. Sub-processing arrangements commonly arise when a Ghanaian technology company or financial institution subcontracts cloud storage, payroll processing, or customer service operations to a specialist third party.
The Electronic Transactions Act 2008 (Act 772) governs the legal validity of electronic records and electronic signatures in Ghana. Under Section 8 of Act 772, an electronic signature that reliably identifies the signatory satisfies any statutory requirement for a signature. A Sub-Data Processor Agreement executed electronically through a compliant platform is therefore fully enforceable before the High Court (Commercial Division) in Accra.
The Contract Act 1960 (Act 25) supplies the general law of contract governing the Sub-Data Processor Agreement in Ghana. The agreement must satisfy the foundational requirements of Act 25: offer, acceptance, consideration, capacity of the parties, and a lawful purpose. Because Act 843 mandates a written contract for all sub-processing arrangements, oral agreements for sub-processing of personal data are not enforceable in Ghana.
Companies incorporated under the Companies Act 2019 (Act 992) and registered with the Office of the Registrar of Companies (ORC) that operate as data controllers or processors must confirm that all sub-processing contracts are reviewed for compliance with Act 843 before execution. The Ghana Investment Promotion Centre (GIPC) under the GIPC Act 2013 (Act 865) regulates foreign investment in data-sensitive sectors, and sub-processing arrangements involving cross-border transfers of personal data out of Ghana must satisfy the transfer restrictions imposed by Act 843. The National Information Technology Agency (NITA) also issues standards relevant to information security obligations of data processors operating in Ghana.
When Do You Need a Sub-Data Processor Agreement (Ghana)?
A Sub-Data Processor Agreement in Ghana is required whenever a data processor that has contracted with a data controller to process personal data needs to engage a third party to perform any part of that processing. The agreement is mandatory under Section 28 of the Data Protection Act 2012 (Act 843) and must be in writing.
A Sub-Data Processor Agreement is needed when a Ghanaian financial institution licensed by the Bank of Ghana (BoG) under the Banks and Specialised Deposit-taking Institutions Act 2016 (Act 930) outsources core banking software processing, anti-money laundering screening, or know-your-customer (KYC) verification to a technology vendor that itself relies on a cloud infrastructure provider. The cloud provider is a sub-processor and must be bound by a Sub-Data Processor Agreement.
A Sub-Data Processor Agreement is required when a telecommunications operator licensed by the National Communications Authority (NCA) under the Electronic Communications Act 2008 (Act 775) engages a billing analytics company to process subscriber data. If that analytics company uses a data warehousing or artificial intelligence sub-vendor, a Sub-Data Processor Agreement must govern the onward transfer.
A Sub-Data Processor Agreement is needed when a human resources outsourcing firm registered with the Ghana Employers Association processes payroll data for multiple Ghanaian employers and subcontracts payslip generation or tax filing to an accounting software platform. The platform is a sub-processor of personal data under Act 843.
A Sub-Data Processor Agreement is required when a health management organisation accredited by the National Health Insurance Authority (NHIA) transfers patient medical records to a diagnostic laboratory or radiology centre. Medical data is a special category of sensitive personal data under Act 843, and sub-processing of such data requires enhanced safeguards.
Businesses should execute a Sub-Data Processor Agreement before commencing any sub-processing arrangement. Retroactive agreements do not cure liability for unauthorised processing that has already occurred. The Data Protection Commission (DPC) has authority to audit processor and sub-processor arrangements and may impose penalties under Act 843 for non-compliance.
Parties in Ghana should prepare a Sub-Data Processor Agreement (Ghana) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Sub-Data Processor Agreement (Ghana)
A binding Sub-Data Processor Agreement in Ghana under the Data Protection Act 2012 (Act 843) and the Contract Act 1960 (Act 25) must contain the following essential elements.
Parties: Full legal names, registration numbers issued by the Office of the Registrar of Companies (ORC), and principal business addresses of the processor and the sub-processor. Where the processor is a regulated entity — for example, licensed by the Bank of Ghana (BoG), the National Communications Authority (NCA), or the National Health Insurance Authority (NHIA) — that regulatory status should be identified.
Data Controller Context: Identification of the original data controller on whose behalf the processor is acting, the data controller's registration number with the Data Protection Commission (DPC), and confirmation that the data controller has authorised the engagement of the sub-processor either generally or specifically as required by the main processing agreement.
Subject Matter and Nature of Processing: A precise description of the personal data categories to be processed by the sub-processor — for example, employee payroll data, customer transaction records, or patient health information — and the specific processing operations to be performed, such as storage, analysis, transmission, or deletion.
Purpose and Duration: The permitted purpose of the sub-processing, which must be consistent with the purpose for which the data controller collected the personal data, and the duration of the sub-processing arrangement. Processing beyond the agreed purpose or after expiry of the agreed term constitutes a breach of Act 843.
Data Subject Rights: Obligations on the sub-processor to support the processor in responding to data subject rights requests under Act 843, including the right to access personal data under Section 18, the right to correction under Section 20, and the right to object to processing under Section 22 of Act 843.
Security Measures: Technical and organisational security measures the sub-processor must implement, consistent with the requirements of Act 843 and any standards issued by the National Information Technology Agency (NITA). Measures should address access controls, encryption, pseudonymisation, incident response, and business continuity.
Breach Notification: An obligation on the sub-processor to notify the processor without undue delay — and in any event within 24 to 48 hours — upon becoming aware of any personal data breach, so that the processor can comply with its own breach notification obligations to the Data Protection Commission (DPC) and the affected data controller.
Further Sub-processing: A prohibition on the sub-processor engaging further sub-processors without prior written consent of the processor, and a requirement that any further sub-processor be bound by a Sub-Data Processor Agreement containing terms at least as protective as those in the primary agreement.
Cross-Border Transfers: Where the sub-processor is located outside Ghana or processes personal data outside Ghana, the agreement must include data transfer safeguards consistent with the transfer restriction provisions of Act 843, including adequacy assessments or contractual safeguards approved by the Data Protection Commission (DPC).
Audit Rights: A right for the processor — and by extension the data controller and the DPC — to audit the sub-processor's processing activities and security arrangements at reasonable intervals, and an obligation on the sub-processor to provide all information necessary to demonstrate compliance with Act 843.
Return or Deletion: An obligation on the sub-processor to return or securely delete all personal data upon termination of the agreement, and to certify in writing that deletion has been completed, unless Ghanaian law requires continued retention.
Governing Law and Dispute Resolution: Ghana law governs the agreement. Disputes may be referred to the High Court (Commercial Division) in Accra or to arbitration under the Alternative Dispute Resolution Act 2010 (Act 798) administered by the Ghana Arbitration Centre.
Forms-legal.com provides this Sub-Data Processor Agreement template as a starting point for businesses operating in Ghana. Entities handling sensitive personal data categories, cross-border transfers, or regulated financial data should consult a solicitor enrolled with the Ghana Bar Association and a data protection specialist conversant with Act 843 before executing the agreement.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Sub-Data Processor Agreement (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/sub-data-processor-agreement-ghana
"Sub-Data Processor Agreement (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/sub-data-processor-agreement-ghana.
@misc{formslegal-sub-data-processor-agreement-ghana,
author = {{Forms Legal}},
title = {Sub-Data Processor Agreement (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/policies/sub-data-processor-agreement-ghana}},
note = {Free legal document template}
}Frequently Asked Questions
Under the Data Protection Act 2012 (Act 843), a data controller is the person who determines the purposes and means of processing personal data, while a data processor processes personal data on behalf of the data controller under a written contract. A sub-data processor is a third party engaged by the data processor to perform some or all of the processing activities on its behalf. For example, a Ghanaian bank (data controller) may engage a payroll software company (data processor) to manage employee remuneration data; that payroll company may in turn engage a cloud infrastructure provider (sub-data processor) to host the data. Each link in the chain must be governed by a written agreement that imposes obligations consistent with Act 843. The sub-data processor owes its contractual duties to the processor but its data protection obligations run directly under Act 843 to the Data Protection Commission (DPC). Failure to have a written Sub-Data Processor Agreement in place exposes both the processor and the sub-processor to regulatory penalties and civil liability.
The Data Protection Commission (DPC), established under Section 3 of the Data Protection Act 2012 (Act 843), has regulatory jurisdiction over all persons who process personal data in Ghana, including sub-processors. Every sub-processor that processes personal data belonging to Ghanaian data subjects must register with the DPC under Section 16 of Act 843 if it meets the registration threshold, and must comply with the data protection principles set out in Section 17 of Act 843 — including lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security. The DPC can investigate complaints, conduct audits, issue compliance notices, and impose administrative penalties. A Sub-Data Processor Agreement that imposes obligations consistent with Act 843 provides evidence of the sub-processor's commitment to compliance during a DPC audit or investigation.
A data processor in Ghana should not engage a sub-processor without the prior authorisation of the data controller. This requirement reflects the data controller's ultimate responsibility for the lawful processing of personal data under the Data Protection Act 2012 (Act 843). The main data processing agreement between the controller and the processor will typically specify whether the processor may engage sub-processors generally (a general authorisation) or only with specific prior approval for each sub-processor. Where only specific approval is required, the processor must notify the data controller of the intended sub-processor and give the controller an opportunity to object before the sub-processing commences. If the processor engages a sub-processor without the required authorisation, the processor bears full liability for any breach of Act 843 attributable to the sub-processor, and the data controller may terminate the main processing agreement.
If a sub-processor suffers a personal data breach in Ghana, the Sub-Data Processor Agreement should require the sub-processor to notify the processor without undue delay — typically within 24 to 48 hours of becoming aware of the breach. The processor must then fulfil its own breach notification obligations under the Data Protection Act 2012 (Act 843) and any sector-specific requirements, such as those imposed by the Bank of Ghana (BoG) under the Banks and Specialised Deposit-taking Institutions Act 2016 (Act 930) or the National Communications Authority (NCA) under the Electronic Communications Act 2008 (Act 775). The notification to the Data Protection Commission (DPC) must describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach. Failure to notify the DPC promptly may increase the administrative penalties imposed on the data controller and processor under Act 843.
Cross-border transfers of personal data to sub-processors located outside Ghana are subject to the transfer restrictions in the Data Protection Act 2012 (Act 843). Personal data collected from Ghanaian data subjects may only be transferred outside Ghana if: (i) the destination country provides an adequate level of data protection comparable to the standards under Act 843, as assessed by the Data Protection Commission (DPC); (ii) the data subject has given explicit informed consent to the transfer; (iii) the transfer is necessary for the performance of a contract; or (iv) the transfer is authorised by the DPC on the basis of adequate safeguards. Where a sub-processor is based outside Ghana, the Sub-Data Processor Agreement must include specific data transfer clauses approved by the DPC, and the processor must satisfy itself that the sub-processor's data protection standards are consistent with Act 843. The DPC may investigate unauthorised cross-border transfers and impose penalties for non-compliance.
A sub-processor in Ghana must retain personal data only for as long as is necessary for the specified processing purpose, consistent with the retention period agreed in the Sub-Data Processor Agreement and the instructions of the data controller. The Data Protection Act 2012 (Act 843) requires that personal data not be kept longer than is necessary for the purpose for which it was collected (the storage limitation principle under Section 17(1)(e) of Act 843). Once the processing purpose has been fulfilled or the Sub-Data Processor Agreement has terminated, the sub-processor must securely delete or return all personal data to the processor and certify in writing that deletion has been completed, unless a specific Ghanaian law or regulation — such as the retention requirements under the Banks and Specialised Deposit-taking Institutions Act 2016 (Act 930) or the Income Tax Act 2015 (Act 896) — requires continued retention for a defined period. Retaining personal data beyond the agreed period without a lawful basis is a breach of Act 843.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement — Disclosure (Ghana)
A binding Non-Disclosure Agreement for Ghana protecting confidential business information under the Contract Act 1960 (Act 25) and equitable principles of confidence recognised by Ghanaian courts.
Data Processing Agreement (Ghana)
A Data Processing Agreement for Ghana under the Data Protection Act 2012 (Act 843) s.37, governing the relationship between a data controller and a data processor handling personal data on the controller's behalf.
Service Agreement (Ghana)
A general-purpose Service Agreement for Ghana governing the provision of professional or business services between a service provider and a client under the Contracts Act 1960 (Act 25).
Employment Contract (Ghana)
A formal Employment Contract for Ghana setting out terms of employment under the Labour Act 2003 (Act 651), covering duties, remuneration, SSNIT contributions, leave, and termination.