Templates

Data Processing Agreement

A data processing agreement (also known as a DPA) is required under UK data protection law where a controller is sharing personal data with a processor. Read more

What is this data processing agreement template?

Legal requirement: A data processing agreement is a legal requirement under UK data protection law where a controller (a party who decides the legal basis and purpose for processing personal data), is sharing personal data with a processor (someone who is using that personal data in accordance with the controller's instructions).

The basics: This data processing agreement template is designed to be used where there is a controller and processor arrangement between the parties. The requirement to enter into this document commonly arises when the processor is providing some kind of service on behalf of the controller, where they need to access the controller's personal data to provide that service. For example, if the customer asked a supplier to send branded marketing emails out on their behalf, engages a supplier of software or uses the services of a consultant.

What does this data processing agreement template include?

UK GDPR compliant clauses: the UK GDPR (the main data protection law in the UK) sets out certain clauses that it is mandatory to include in contracts between controllers and processors. This includes requirements for the processor to notify the controller when there is a data breach, have technical and operational security measures in place and allow the controller to inspect its records that relate to the processing. This data processing agreement template includes all required mandatory clauses under the UK GDPR.

Customise to meet your needs: depending on whether you are acting as a processor or a controller under the data processing agreement, you can choose optional clauses that are either pro-controller or pro-processor. For example, where you are acting as a processor, you are granted a general authorisation to appoint sub-processors (provided that you continue to comply with the other requirements in data protection laws relating to the engagement of sub-processors e.g. having a contract in place with those sub-processors). In contrast, if you are the controller, you have the ability to have oversight over the sub-processors that will be appointed, so that they are only appointed with prior consent and subject to any conditions you may want to impose.

Limit your financial exposure: the data processing agreement template contains an optional indemnity (a contractual promise to pay), where you are a controller. Given the potential financial losses that could arise from a personal data breach, this provides a remedy for the controller to recover those losses from the processor where the processor has breached the terms of the agreement, leading to such loss.

When can this data processing agreement template be used?

Who are the parties to this data processing agreement template: This document can be used where there is a supplier and customer relationship between the parties, where the requirement to enter into a data protection agreement commonly arises. However, the data processing agreement template can also be used for any other controller-to-processor relationship as well, as there is an option to change the names of the parties so that the data processing agreement template is tailored to your processing arrangement.

Also covers relationships with sub-processors: As well as being suitable for use between controllers and processors, the data processing agreement template can also be used as contractual terms between processors and their sub-processors (as it is a requirement of the UK GDPR for processors to have contracts in place with their sub-processors that are on substantially similar terms as the contract with the controller). An example could be where a customer (controller) engages a supplier to provide CRM software (processor) and that processor uses a cloud hosting provider (sub-processor) who has access to the personal data in the CRM software. This data processing agreement template is suitable for both the controller-to-processor and processor-to-sub-processor relationships.

When not to use this data processing agreement template: This document should not be used where both parties are controllers, which means they both decide how to use the personal data shared between them.

This data processing agreement template assumes that both parties are UK companies, that English Law applies and that the UK GDPR is the legal regime that governs the processing.

Why Docue?

With Docue, you can create a top-quality data processing agreement template in minutes. Our service includes model clauses designed by privacy lawyers to help you draft the contract yourself and tailor it to your needs.

Our lawyer-crafted prompts and guidance notes in the document will guide you through the different options available, so you can produce a data processing agreement template that is both legally compliant and tailored to your needs.

Signatures can be collected electronically, and all contracts you make are saved in your company's own contract account.

Docue gives you access to 80+ high-quality legal templates drafted and maintained by UK lawyers. Trusted by 30,000+ companies.

"Docue’s suite of templates saves SMEs on time, money, and stress, by equipping them with affordable legal documentation they can rely on."

Ed Boal

Director and Head of Corporate, Stephenson Law

"Having legal documents available at the touch of a button is incredibly convenient."

Jackson Harrison

Owner, J Harrison Installations