What is this data processing agreement template?
Legal requirement: It is a legal requirement of UK data protection law to put in place a contract where a controller (a party who decides the legal basis and purpose for processing personal data), is sharing personal data with a processor (someone who is using that personal data in accordance with the controller's instructions). Docue’s data processing agreement template contains the mandatory terms required to comply with data protection laws.
The basics: This data processing agreement template is designed to be used where there is a controller and processor arrangement between the parties. The requirement to enter into this document commonly arises when the processor is providing some kind of service on behalf of the controller, where they need to access the controller's personal data to provide that service. For example, if a customer asks a supplier to send branded marketing emails out on their behalf, engages a supplier of software or uses the services of a consultant. Find out more about data processing agreements here.
What does this data processing agreement template include?
UK GDPR compliant clauses: The UK GDPR (the main data protection law in the UK) sets out certain clauses that it is mandatory to include in contracts between controllers and processors. This includes requirements for the processor to notify the controller when there is a data breach, have technical and operational security measures in place and allow the controller to inspect its records that relate to the processing. This template includes all required mandatory clauses under the UK GDPR. find out more the key clauses to include here.
Customise to meet your needs: Depending on whether you are acting as a processor or a controller when using the data processing agreement template, you can choose optional clauses that are either pro-controller or pro-processor. For example, where you are acting as a processor, you are granted a general authorisation to appoint sub-processors (provided that you continue to comply with the other requirements in data protection laws relating to the engagement of sub-processors e.g. having a contract in place with those sub-processors). In contrast, if you are the controller, you have the ability to have oversight over the sub-processors that will be appointed, so that they are only appointed with prior consent and subject to any conditions you may want to impose.
Limit your financial exposure: The data processing agreement template contains an optional indemnity (a contractual promise to pay), where you are a controller. Given the potential financial losses that could arise from a personal data breach, this provides a remedy for the controller to recover those losses from the processor where the processor has breached the terms of the agreement, leading to such loss.
When can this data processing agreement template be used?
Who are the parties to this data processing agreement template: This document can be used where there is a supplier and customer relationship between the parties, where the requirement to enter into a data protection agreement commonly arises. However, the dpa template can also be used for any other controller-to-processor relationship as well, as there is an option to change the names of the parties so that the data processing agreement template is tailored to your processing arrangement.
Also covers relationships with sub-processors: As well as being suitable for use between controllers and processors, the data processing agreement template can also be used as contractual terms between processors and their sub-processors (as it is a requirement of the UK GDPR for processors to have contracts in place with their sub-processors that are on substantially similar terms as the contract with the controller). An example could be where a customer (controller) engages a supplier to provide CRM software (processor) and that processor uses a cloud hosting provider (sub-processor) who has access to the personal data in the CRM software. This dpa template is suitable for both the controller-to-processor and processor-to-sub-processor relationships.
When not to use this data processing agreement template: This dpa template should not be used where both parties are controllers (controller to controller sharing), which means they both decide how to use the personal data shared between them. In this case, use our data sharing agreement template should be used instead.
This data processing agreement template assumes that both parties are UK companies, that English Law applies and that the UK GDPR is the legal regime that governs the processing.
Why Docue?
Easy to use: With Docue, you can create a top-quality data processing agreement template in minutes. Our service includes model clauses designed by privacy lawyers to help you draft the contract yourself and tailor it to your needs.
Drafted by lawyers: Our lawyer-crafted prompts and guidance notes in the data processing agreement template will guide you through the different options available, so you can produce a DPA template that is both legally compliant and tailored to your needs.
Full contract management: Signatures can be collected electronically, and all contracts you make are saved in your company's own contract account, Docue Drive.
Tags: data processing agreement template, UK GDPR, controller to processor, data processing agreement example
