Templates

Data Processing Agreement Template (Scotland)

A data processing agreement (also known as a DPA) is required under UK data protection law where a controller is sharing personal data with a processor. Read more
Legislation GB-SCT
Topics Updated by a lawyer: 14 Oct 2024

What is this DPA template?

Legal requirement: It is a legal requirement of UK data protection law to put in place a contract where a controller (a party who decides the legal basis and purpose for processing personal data), is sharing personal data with a processor (someone who is using that personal data in accordance with the controller's instructions). Docue’s DPA template contains the mandatory terms required to comply with data protection laws.

The basics: This DPA template is designed to be used where there is a controller and processor arrangement between the parties. The requirement to enter into this document commonly arises when the processor is providing some kind of service on behalf of the controller, where they need to access the controller's personal data to provide that service. For example, if a customer asks a supplier to send branded marketing emails out on their behalf, engages a supplier of software or uses the services of a consultant. Find out more about data processing agreements here.

What does this DPA template include?

UK GDPR compliant clauses: The UK GDPR (the main data protection law in the UK) sets out certain clauses that it is mandatory to include in contracts between controllers and processors. This includes requirements for the processor to notify the controller when there is a data breach, have technical and operational security measures in place and allow the controller to inspect its records that relate to the processing. This template includes all required mandatory clauses under the UK GDPR. find out more the key clauses to include here.

Customise to meet your needs: Depending on whether you are acting as a processor or a controller when using the DPA template, you can choose optional clauses that are either pro-controller or pro-processor. For example, where you are acting as a processor, you are granted a general authorisation to appoint sub-processors (provided that you continue to comply with the other requirements in data protection laws relating to the engagement of sub-processors e.g. having a contract in place with those sub-processors). In contrast, if you are the controller, you have the ability to have oversight over the sub-processors that will be appointed, so that they are only appointed with prior consent and subject to any conditions you may want to impose.

Limit your financial exposure: The DPA template contains an optional indemnity (a contractual promise to pay), where you are a controller. Given the potential financial losses that could arise from a personal data breach, this provides a remedy for the controller to recover those losses from the processor where the processor has breached the terms of the agreement, leading to such loss.

When can this DPA template be used?

Who are the parties to this DPA template: This document can be used where there is a supplier and customer relationship between the parties, where the requirement to enter into a data protection agreement commonly arises. However, the DPA template can also be used for any other controller-to-processor relationship as well, as there is an option to change the names of the parties so that the DPA template is tailored to your processing arrangement.

Also covers relationships with sub-processors: As well as being suitable for use between controllers and processors, the DPA template can also be used as contractual terms between processors and their sub-processors (as it is a requirement of the UK GDPR for processors to have contracts in place with their sub-processors that are on substantially similar terms as the contract with the controller). An example could be where a customer (controller) engages a supplier to provide CRM software (processor) and that processor uses a cloud hosting provider (sub-processor) who has access to the personal data in the CRM software. This dpa template is suitable for both the controller-to-processor and processor-to-sub-processor relationships.

When not to use this DPA template: This DPA template should not be used where both parties are controllers (controller to controller sharing), which means they both decide how to use the personal data shared between them. In this case, use our data sharing agreement template should be used instead.

This DPA template assumes that both parties are UK companies and that the UK GDPR is the legal regime that governs the processing.

Why Docue?

Easy to use: With Docue, you can create a top-quality DPA template in minutes. Our service includes model clauses designed by privacy lawyers to help you draft the contract yourself and tailor it to your needs.

Drafted by lawyers: Our lawyer-crafted prompts and guidance notes in the DPA template will guide you through the different options available, so you can produce a DPA template that is both legally compliant and tailored to your needs.

Full contract management: Signatures can be collected electronically, and all contracts you make are saved in your company's own contract account, Docue Drive.

Tags: DPA template, UK GDPR, controller to processor

Legislation GB-SCT
Topics Updated by a lawyer: 14 Oct 2024

Docue gives you access to 150+ high-quality legal templates drafted and maintained by UK lawyers. Trusted by 100,000+ companies.

"We needed an instant fix for writing contracts and looked around at alternatives, but Docue was superior. Easy to engage with and a wide range of templates."

Darrell Arnold

Founder & CEO, Servicedek

"Docue gave us professional contracts that we know are legally written, and cover us in a way that's easy for a non-expert to understand."

Andrew Cowen

Chief Commercial Officer, Komerz

Docue’s Vision in Action: Introducing the New Dashboard to Simplify Your Legal Workflow

At Docue, we believe handling legal documents should be straightforward and stress-free. That’s why we’ve designed our platform to integrate top-tier legal expertise with simple, intuitive contract lifecycle management (CLM) tools. This vision has led to our latest update, the Docue Dashboard, built entirely around the needs of our users.

Ashleigh Evans

8.11.2024

Webinar Recap: Navigating SaaS Contracts and IP Protection - Essential Tips for Tech Entrepreneurs

In September, we hosted a highly insightful webinar titled "Navigating SaaS Contracts and IP Protection: Essential Tips for Tech Entrepreneurs." Led by our legal experts, Ashleigh Evans (Legal Counsel at Docue UK) and Heather Stark (Head of Legal at Docue UK), the session provided invaluable guidance on crucial legal aspects of SaaS agreements and intellectual property protection.

Heather Stark

23.10.2024

Navigating the Online Safety Act: what businesses need to know

For businesses operating in the digital space, staying ahead of legislative changes is critical. The new Online Safety Act (“the Act”), a landmark piece of legislation, is set to transform how businesses manage online content and user safety. Designed to create a safer online environment, this Act imposes new responsibilities on businesses that operate online platforms, services and applications. In this blog, we'll break down the key elements of the Online Safety Act, explore its implications for digital businesses and provide guidance on how you can prepare for compliance.

Heather Stark

16.9.2024