When does my business need to use a DPA (GDPR) to comply with the UK GDPR?

1. What is a DPA template (GDPR)?

DPA stands for data processing agreement. It is a contract between two parties, where one party is being appointed to process personal data on behalf of the other party. One of the main data protection laws in the UK is the UK GDPR - the UK GDPR contains strict requirements for what must be included in DPAs.

2. When does my business need to use a GDPR agreement?

A DPA (GDPR) should be entered into when a third party is being appointed to carry out a processing activity on behalf of another. “Processing” has a wide meaning under the UK GDPR and covers almost everything that is done with personal data - it includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

The types of processing relationships where a DPA (GDPR) is needed are:

1. Controller to processor - this is where a controller (a party who decides the legal basis and purpose for processing personal data) is sharing, or giving access to, personal data with a processor (someone who is using that personal data in accordance with the controller's instructions). E.g. a design agency engages a software provider to provide it with a CRM platform which houses its clients personal data. Here the design agency would be the controller and the CRM platform provider would be the processor; or

2. Processor to sub-processor - this is where the processor sub-contracts part of its processing activities to a third party (known as a sub-processor). E.g. the CRM platform provider in the above example uses a third-party cloud hosting provider to host the CRM platform (including the customer data contained on the platform). Here the CRM platform provider is the processor and the cloud provider is the sub-processor.

3. When would other types of data protection agreements be more suitable?

A DPA (GDPR) is the contract that should be put in place between controllers and processors (and processors and sub-processors).

However, sometimes personal data is shared between two parties where those parties are both controllers. In these circumstances, both parties will have their own purpose for using (and sharing) the personal data. For controller-to-controller sharing, a data sharing agreement should be used instead of a DPA (GDPR).

4. Is a DPA (GDPR) mandatory under data protection laws?

Yes - it is a requirement of Article 28 of the UK GDPR for a contract to be put in place between controllers and processors (and processors and sub-processors) that contains certain mandatory clauses. Failure to put a contract in place that contains the mandatory clauses is a breach of data protection laws.

Find out what mandatory clauses must be included in your DPA (GDPR) using this checklist.

5. How can I customise a DPA template (GDPR) to suit my business?

Docue’s DPA template (GDPR) contains all the mandatory clauses that are required in contracts between controllers and processors under data protection laws.

The template contains lots of options that make it customisable to suit your business's needs, including the option to include a scope of processing that is fully tailored to your situation. You can also choose to include optional clauses, such as in relation to liability and indemnities. And don’t worry if you get stuck along the way when creating your DPA (GDPR), as Docue’s lawyer-drafted guidance notes are there to guide you through the contract creation process.

Sign-up now to use Docue's DPA (GDPR) agreement template.