Free data processing agreement
This is a free DPA or data processing agreement designed to help businesses to comply with the provisions of the UK GDPR and EU GDPR relating to contracts between controllers of personal data and processors.
The UK GDPR and the EU GDPR apply very similar requirements to these contracts. The main requirements, all reflected in this free DPA, are as follows.
Specification of processing operations - The DPA should identify the personal data that is going to be processed, the categories of data subject affected, the purposes of the processing, relevant security requirements, authorised third party disclosures and permitted international transfers.
Period of processing - The DPA should require that personal data be returned and/or deleted following the completion of the relevant services.
Instructions of the controller - The processor should be bound by the DPA to only process the personal data in accordance with the instructions of the controller.
Unlawful instructions - If an instruction of the controller relating to the processing of the data is unlawful, the processor should let the controller know in accordance with the provisions of the DPA.
Legal requirements - The processor is permitted by the DPA to process the personal data where required to do so by the relevant applicable law (e.g. UK legal requirements applying to processing happening under the UK GDPR).
Confidentiality - The processor must ensure that persons authorised to process the data are under appropriate confidentiality obligations.
Security - The DPA should require that the processor implement appropriate security measures (both technical and organisational) with respect to the data.
Assistance - The processor must, under the DPA, take appropriate measures to assist the controller with the fulfilment of the controller's obligations relating to data subject rights. The processor must also assist the controller in relation to compliance with the obligations of the controller relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing.
Breach notification - The DPA requires that personal data breaches be notified by the processor to the controller within a pre-defined timeframe (of 72 hours or less).
information and audit - The controller is entitled to audit the processor's compliance with its obligations under the DPA. The processor must facilitate such audits, and must provide to the controller all such information as is necessary to demonstrate compliance.
This free DPA assumes that the controller and processor have entered into or will enter into a separate services agreement, covering the provision of services by the processor to the controller.
Get help with this documentFree data processing agreement contents
- Definitions: definitions.
- Credit: docular credit; free documents licensing warning.
- Supplemental: Agreementsupplements main contract; definitions in main contract; conflict betweenAgreementand main contract; breach ofAgreementdeemed to be breach of main contract; breach of main contract deemed to be breach ofAgreement; termination with main contract; main contract termination.
- Term: commencement of term; end of term.
- Data protection: compliance with data protection laws; warranty of Controller's right to disclose personal data (GDPR); details of personal data processed bythe Processor(GDPR); purposes of processing of personal data bythe Processor(GDPR); duration of personal data processing byProcessor(GDPR); personal data processed byProcessoron instructions (GDPR); authorised international transfers of personal data (GDPR); informingControllerof illegal instructions (GDPR); personal data processed byProcessoras required by law (GDPR); confidentiality obligations onProcessorpersons processing personal data (GDPR); security of personal data processed byProcessor(GDPR); appointment of sub-processor byProcessor(GDPR); authorisation forProcessorto appoint sub-processors (GDPR);Processorto assist with exercise of data subject rights (GDPR);Processorto assist with compliance (GDPR); obligation to notifyControllerof personal data breach (GDPR);Processorto provide data protection compliance information (GDPR); deletion of personal data byProcessor(GDPR);Processorto allow audit (GDPR); changes to data protection law.
- Limits upon exclusions of liability: caveats to limits of liability.
- Termination: termination by either party without cause; termination by either party upon breach; termination upon insolvency.
- Effects of termination: surviving provisions upon termination; termination does not affect accrued rights.
- Notices: methods and deemed receipt of contractual notices; contact details for contractual notices; substitute contact details for notices.
- General: no waiver; severability; variation written and signed; no assignment without written consent; no third party rights; entire agreement; governing law; exclusive jurisdiction.
- Interpretation: statutory references; section headings not affecting interpretation; calendar month meaning; no ejusdem generis.
SCHEDULE 1 (DATA PROCESSING INFORMATION)
- Categories of data subject: prompt for categories of data subject.
- Types of
Personal Data : prompt for types of personal data. - Purposes of processing: prompt for personal data processing purposes.
- Security measures for
Personal Data : prompt for security measures for personal data. - Sub-processors of Personal Data: prompt for identifying sub-processors of personal data.
SCHEDULE 2 (STANDARD CONTRACTUAL CLAUSES)
- Prompt for standard contractual clauses.