Dpa Agreement Template for England and Wales

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Dpa Agreement?

The DPA Agreement is essential when an organization (controller) engages another party (processor) to process personal data on its behalf. This document is required under Article 28 of the UK GDPR and must be in place before any data processing begins. The agreement sets out specific obligations, including security measures, confidentiality requirements, and data handling procedures. It is particularly crucial in the post-Brexit landscape where UK-specific data protection requirements must be met. The DPA Agreement serves as a cornerstone document for ensuring compliant data processing operations in England and Wales.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Dpa Agreement

A Data Processing Agreement (DPA) is a legally binding contract that governs the relationship between a data controller and data processor when personal data is shared for processing activities. Under England and Wales law, this agreement is not optional but a strict legal requirement that must be in place before any data processing begins.

When do you need this document?

You need a DPA Agreement whenever your organisation engages a third party to process personal data on your behalf. This includes common business scenarios such as using cloud storage providers, payroll service companies, marketing agencies handling customer data, or IT support firms accessing employee information. The agreement is also essential when appointing sub-processors, outsourcing customer service operations, or engaging consultants who will handle personal data. Even seemingly routine activities like using email marketing platforms or customer relationship management systems require a compliant DPA to be in place.

Key legal considerations

Your DPA Agreement must include specific mandatory clauses to satisfy Article 28 of the UK GDPR. The processor must only act on documented instructions from the controller, ensure appropriate technical and organisational security measures, and maintain confidentiality of all personal data. The agreement must address data breach notification procedures, typically requiring the processor to notify the controller within 24-72 hours of becoming aware of any breach. You must also include provisions for data subject rights, allowing individuals to exercise their rights to access, rectification, erasure, and portability. International data transfers require additional safeguards, particularly when processors are located outside the UK or EU. The agreement should specify audit rights, allowing the controller to verify compliance through inspections or third-party assessments.

Legal requirements in England and Wales

Under England and Wales law, your DPA Agreement must comply with both the UK GDPR and the Data Protection Act 2018, which together form the UK's comprehensive data protection framework. The Information Commissioner's Office (ICO) provides authoritative guidance on DPA requirements and expects agreements to demonstrate clear accountability measures. You must ensure the agreement addresses retention periods, specifying how long data will be processed and when it must be returned or securely destroyed. The Privacy and Electronic Communications Regulations (PECR) may also apply if electronic communications are involved in the processing activities. Post-Brexit, you cannot rely solely on EU adequacy decisions for international transfers, and must implement appropriate safeguards such as Standard Contractual Clauses or adequacy regulations specific to the UK. The agreement must also address liability allocation between controller and processor, ensuring compliance with the ICO's enforcement expectations and potential penalties under the UK regime.

GOVERNING LAW

Applicable law

This Dpa Agreement is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR: The UK General Data Protection Regulation - Primary legislation governing data protection in the UK post-Brexit, setting out fundamental principles for data processing

DPA 2018: Data Protection Act 2018 - The UK's implementation of data protection standards, complementing and working alongside UK GDPR

PECR: Privacy and Electronic Communications Regulations 2003 - Specific rules for privacy in electronic communications

ICO Guidance: Information Commissioner's Office guidelines and codes of practice - Authoritative guidance on interpreting and implementing data protection requirements

EDPB Guidelines: European Data Protection Board guidelines - While not binding post-Brexit, these remain influential for UK data protection practices

Article 28 Compliance: Specific requirements under UK GDPR Article 28 detailing mandatory processor obligations in data processing agreements

Article 32 Security: Security requirements under UK GDPR Article 32 specifying technical and organizational measures for data protection

International Transfers: Post-Brexit requirements for international data transfers, including adequacy decisions and appropriate safeguards

Sub-processor Requirements: Rules and restrictions governing the appointment and oversight of sub-processors in data processing activities

Breach Notifications: Mandatory requirements for handling and reporting data breaches under UK data protection law

Data Subject Rights: Procedures for handling data subject rights requests and ensuring compliance with UK GDPR requirements

Sector-Specific Regulations: Additional regulatory requirements specific to industries such as financial services (FCA), healthcare (NHS), and public sector

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it