What is this DPA template?
Legal requirement: It is a legal requirement of UK data protection law to put in place a contract where a controller (a party who decides the legal basis and purpose for processing personal data), is sharing personal data with a processor (someone who is using that personal data in accordance with the controller's instructions). Docue’s DPA template contains the mandatory terms required to comply with data protection laws.
The basics: This DPA template is designed to be used where there is a controller and processor arrangement between the parties. The requirement to enter into this document commonly arises when the processor is providing some kind of service on behalf of the controller, where they need to access the controller's personal data to provide that service. For example, if a customer asks a supplier to send branded marketing emails out on their behalf, engages a supplier of software or uses the services of a consultant. Find out more about data processing agreements here.
What does this DPA template include?
UK GDPR compliant clauses: The UK GDPR (the main data protection law in the UK) sets out certain clauses that it is mandatory to include in contracts between controllers and processors. This includes requirements for the processor to notify the controller when there is a data breach, have technical and operational security measures in place and allow the controller to inspect its records that relate to the processing. This template includes all required mandatory clauses under the UK GDPR. find out more the key clauses to include here.
Customise to meet your needs: Depending on whether you are acting as a processor or a controller when using the DPA template, you can choose optional clauses that are either pro-controller or pro-processor. For example, where you are acting as a processor, you are granted a general authorisation to appoint sub-processors (provided that you continue to comply with the other requirements in data protection laws relating to the engagement of sub-processors e.g. having a contract in place with those sub-processors). In contrast, if you are the controller, you have the ability to have oversight over the sub-processors that will be appointed, so that they are only appointed with prior consent and subject to any conditions you may want to impose.
Limit your financial exposure: The DPA template contains an optional indemnity (a contractual promise to pay), where you are a controller. Given the potential financial losses that could arise from a personal data breach, this provides a remedy for the controller to recover those losses from the processor where the processor has breached the terms of the agreement, leading to such loss.
When can this DPA template be used?
Who are the parties to this DPA template: This document can be used where there is a supplier and customer relationship between the parties, where the requirement to enter into a data protection agreement commonly arises. However, the DPA template can also be used for any other controller-to-processor relationship as well, as there is an option to change the names of the parties so that the DPA template is tailored to your processing arrangement.
Also covers relationships with sub-processors: As well as being suitable for use between controllers and processors, the DPA template can also be used as contractual terms between processors and their sub-processors (as it is a requirement of the UK GDPR for processors to have contracts in place with their sub-processors that are on substantially similar terms as the contract with the controller). An example could be where a customer (controller) engages a supplier to provide CRM software (processor) and that processor uses a cloud hosting provider (sub-processor) who has access to the personal data in the CRM software. This dpa template is suitable for both the controller-to-processor and processor-to-sub-processor relationships.
When not to use this DPA template: This DPA template should not be used where both parties are controllers (controller to controller sharing), which means they both decide how to use the personal data shared between them. In this case, use our data sharing agreement template should be used instead.
This DPA template assumes that both parties are UK companies and that the UK GDPR is the legal regime that governs the processing.
Why Docue?
Easy to use: With Docue, you can create a top-quality DPA template in minutes. Our service includes model clauses designed by privacy lawyers to help you draft the contract yourself and tailor it to your needs.
Drafted by lawyers: Our lawyer-crafted prompts and guidance notes in the DPA template will guide you through the different options available, so you can produce a DPA template that is both legally compliant and tailored to your needs.
Full contract management: Signatures can be collected electronically, and all contracts you make are saved in your company's own contract account, Docue Drive.
Tags: DPA template, UK GDPR, controller to processor