Data Processing Agreement template

Free Data Processing Agreement (DPA) Template in Docusign

If your company acts as a Controller (determining the purpose of processing) and hires a third party (the Processor) to handle personal data, a formal DPA agreement is legally mandated. Docusign offers a free, editable data processing contract that meets UK GDPR requirements.

• Click here to open the free template in your Docusign account or with a Docusign trial.

• The DPA is incorporated into your existing agreement for the provision of services (the "Main Agreement").

• You must complete the identification details for both the Controller and the Processor.

• The template requires comprehensive appendices detailing the processing activities, security measures, and approved sub-processors.

Overview of the Data Processing Agreement

This data processing agreement is a foundational document in data privacy, ensuring that when the Processor handles Personal Data for the Controller, it does so lawfully, securely, and strictly according to the Controller's instructions.

The agreement is designed to ensure compliance with UK Data Protection Laws, which include the UK GDPR (the retained EU law version of the GDPR) and the Data Protection Act 2018. The agreement is structured around the legal requirements set out in Article 28 of the UK GDPR.

Who This Template Is For

This template is for any business relationship where one entity controls the data and another processes it on their behalf. Examples include:

• Cloud Service Providers: A Controller using a software-as-a-service (SaaS) platform (e.g., CRM or HR software) to store and manage customer/employee data.

• Outsourced Services: A company hiring a payroll provider, IT support, or a marketing agency that handles client lists.

• Hosting Providers: A business using a data centre or cloud hosting service to host a database containing personal data.

Purpose and Scope of the DPA

The core purpose of the DPA is to impose strict obligations on the Processor and outline the safeguards required when processing Personal Data.

The scope of the processing must be documented in Appendix 1: Details of the Processing:

• Subject Matter, Duration, Nature, and Purpose of the processing must be clearly described .

• Types of Personal Data (e.g., contact details, online identifiers) and Categories of Data Subjects (e.g., customers, employees) must be listed. 

Key Clauses in Your Data Processing Contract

The DPA includes essential clauses to meet the legal requirements of the UK Data Protection Laws:

• Processor Obligations (Clause 3): The Processor warrants that it will only process data on the Controller's documented written instructions and ensure personnel are under confidentiality obligations.

• Security Measures (Clause 3.3 & Appendix 2): The Processor must implement and maintain appropriate technical and organisational measures, such as encryption and access controls, to ensure a security level appropriate to the risk.

• Sub-processors (Clause 3.4 & 3.5): The Processor cannot engage a sub-processor without the Controller's prior written authorisation and remains fully liable for the sub-processor's performance.

• Data Subject Rights and Assistance (Clause 3.6 & 3.7): The Processor must assist the Controller in fulfilling Data Subject rights requests (e.g., access, erasure) and meeting compliance obligations, such as Data Protection Impact Assessments (DPIAs).

• Data Breach Notification (Clause 3.8): The Processor must notify the Controller without undue delay after becoming aware of a Personal Data Breach.

• Audits (Clause 3.10): The Processor must make available all information necessary to demonstrate compliance and allow for audits or inspections conducted by the Controller or a mandated auditor.

• International Transfers (Clause 5): Data cannot be transferred outside the UK without the Controller's prior consent, and appropriate safeguards (like the IDTA or the UK Addendum) must be put in place.