Dpa Agreement Template for England and Wales
Generate a bespoke document
What is a Dpa Agreement?
The DPA Agreement is essential when an organization (controller) engages another party (processor) to process personal data on its behalf. This document is required under Article 28 of the UK GDPR and must be in place before any data processing begins. The agreement sets out specific obligations, including security measures, confidentiality requirements, and data handling procedures. It is particularly crucial in the post-Brexit landscape where UK-specific data protection requirements must be met. The DPA Agreement serves as a cornerstone document for ensuring compliant data processing operations in England and Wales.
About the Dpa Agreement
A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller and data processor when personal data is shared for processing activities. Under England and Wales law, this agreement is not optional but a strict legal requirement that must be in place before any data processing begins.
When do you need this document?
You need a DPA Agreement whenever your organisation engages a third party to process personal data on your behalf. This includes common business scenarios such as using cloud storage providers, payroll service companies, marketing agencies handling customer data, or IT support firms accessing employee information. The agreement is also essential when appointing sub-processors, outsourcing customer service operations, or engaging consultants who will handle personal data. Even seemingly routine activities like using email marketing platforms or customer relationship management systems require a compliant DPA to be in place.
Key legal considerations
Your DPA Agreement must include specific mandatory clauses to satisfy Article 28 of the UK GDPR. The processor must only act on documented instructions from the controller, ensure appropriate technical and organisational security measures, and maintain confidentiality of all personal data. The agreement must address data breach notification procedures, typically requiring the processor to notify the controller within 24-72 hours of becoming aware of any breach. You must also include provisions for data subject rights, allowing individuals to exercise their rights to access, rectification, erasure, and portability. International data transfers require additional safeguards, particularly when processors are located outside the UK or EU. The agreement should specify audit rights, allowing the controller to verify compliance through inspections or third-party assessments.
Legal requirements in England and Wales
Under England and Wales law, your DPA Agreement must comply with both the UK GDPR and the Data Protection Act 2018, which together form the UK's comprehensive data protection framework. The Information Commissioner's Office (ICO) provides authoritative guidance on DPA requirements and expects agreements to demonstrate clear accountability measures. You must ensure the agreement addresses retention periods, specifying how long data will be processed and when it must be returned or securely destroyed. The Privacy and Electronic Communications Regulations (PECR) may also apply if electronic communications are involved in the processing activities. Post-Brexit, you cannot rely solely on EU adequacy decisions for international transfers, and must implement appropriate safeguards such as Standard Contractual Clauses or adequacy regulations specific to the UK. The agreement must also address liability allocation between controller and processor, ensuring compliance with the ICO's enforcement expectations and potential penalties under the UK regime.
GOVERNING LAW
Applicable law
This Dpa Agreement is drafted to comply with England and Wales law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it