International Energy ClubMembers only
Last updated: Nov 1, 2025·Version history maintained

Data Processing Agreement (DPA)

GDPR Art. 28-compliant agreement governing IEC's role as data processor when processing personal data on behalf of Institutional clients.

Jurisdiction / Legal Basis: EU GDPR Art. 28 · Russian Federation 152-FZ Art. 6(3)
Presented at: Institutional-tier onboarding, enterprise sales

1. Scope and Role Definitions

This Data Processing Agreement ('DPA') is incorporated into and forms part of the contract between IEC ('Processor') and the Institutional member ('Controller'). It applies where the Controller uses IEC's platform to process personal data of the Controller's employees, contacts, deal counterparties or other individuals and instructs IEC to process that data on its behalf. This DPA is intended to satisfy the requirements of Article 28(3) GDPR and equivalent provisions of 152-FZ. In all other respects, IEC acts as an independent controller of member data as described in the Privacy Policy.

2. Controller's Instructions

IEC shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country. The Controller's instructions are set out in Exhibit A to this DPA (Processing Instructions). IEC shall inform the Controller if, in its opinion, an instruction infringes applicable data protection law. IEC shall not be required to follow instructions that would require IEC to violate applicable law.

3. Processor Obligations

IEC undertakes to:

  • (a) process personal data only for the purposes described in Exhibit A and in no other way

(b) ensure that persons authorised to process the data are bound by confidentiality obligations

(c) implement the technical and organisational security measures described in Exhibit B

(d) respect the conditions for engaging sub-processors as described in Clause 5

(e) assist the Controller in fulfilling data subject rights requests within applicable timeframes

(f) assist the Controller in completing Data Protection Impact Assessments (DPIAs) where required

(g) make available all information necessary to demonstrate compliance with Article 28 GDPR

(h) allow for and contribute to audits and inspections conducted by or on behalf of the Controller.

4. Security Measures

IEC implements the following technical and organisational security measures (TOMs) to protect personal data processed on behalf of Controllers:

  • (a) Encryption — AES-256 at rest; TLS 1.3 in transit

(b) Access controls — role-based access control (RBAC); MFA enforced for all staff accounts; principle of least privilege

(c) Monitoring — SIEM (security information and event management) with 24/7 alerting

(d) Incident response — documented incident response plan; notification to Controller within 24 hours of discovering a breach

(e) Physical security — data centres comply with ISO 27001 or equivalent

(f) Personnel — background checks for staff with access to personal data; mandatory data protection training (annual)

(g) Vulnerability management — annual third-party penetration tests; monthly vulnerability scans.

5. Sub-Processors

The Controller provides general authorisation for IEC to engage sub-processors, subject to:

  • (a) IEC imposing GDPR-equivalent obligations on sub-processors

(b) IEC maintaining a current list of sub-processors at /legal/subprocessors

(c) IEC notifying the Controller at least 30 days before engaging a new sub-processor or materially changing an existing one

(d) the Controller having the right to object to new sub-processors within 14 days of notification. If the Controller objects and IEC cannot accommodate the objection, either party may terminate this DPA on 30 days' written notice. IEC remains liable to the Controller for the acts and omissions of sub-processors as if IEC had performed them directly.

6. Data Subject Rights and Breach Notification

Where IEC receives a request from a data subject in relation to data processed under this DPA, IEC will promptly notify the Controller and cooperate to enable the Controller to fulfil the request. Breach notification: IEC will notify the Controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting data processed under this DPA, providing the information required by Article 33(3) GDPR. IEC will cooperate fully with the Controller in relation to any regulatory investigation or enforcement action.

Document versioning and re-acceptance

This document was last updated on Nov 1, 2025. IEC maintains a versioned archive of all prior versions. Where a material change affects the rights or obligations of existing members, affected members are notified by email at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated terms. To request a prior version, contact legal@internationalenergyclub.org.

← Back to all legal documents