Create a bespoke document in minutes, or upload and review your own.
Get your first 2 documents free
Your data doesn't train Genie's AI
You keep IP ownership of your information
Data Processing Agreement
"I require a data processing agreement that outlines the responsibilities and liabilities of both parties, ensures compliance with UK GDPR, includes data breach notification procedures, and specifies data processing fees in GBP. The agreement should also cover data transfer outside the UK."
What is a Data Processing Agreement?
A Data Processing Agreement sets out the rules and responsibilities when one organization handles personal data on behalf of another. It's a crucial legal contract required by UK GDPR that spells out exactly how a data processor (like a cloud service provider or payroll company) must protect and manage the personal information they're trusted with.
The agreement covers essential details like data security measures, confidentiality requirements, and what happens if there's a breach. UK businesses need these agreements to stay compliant with data protection laws and to maintain clear accountability when sharing personal data with service providers, contractors, or other third parties who process data for them.
When should you use a Data Processing Agreement?
You need a Data Processing Agreement any time your business shares personal data with external service providers who will process that information. This includes common scenarios like using cloud storage providers, outsourced HR systems, marketing agencies handling customer data, or IT contractors with access to your databases.
The key trigger is when another company processes personal data on your behalf - for example, if you use Mailchimp for email marketing, Salesforce for customer management, or third-party payroll services. UK GDPR requires these agreements to be in place before sharing data, and failing to have one exposes your business to significant compliance risks and potential fines.
What are the different types of Data Processing Agreement?
- Dpa Agreement: The standard, comprehensive version covering all core GDPR requirements for data processing relationships
- Data Processing Addendum: Adds data protection terms to existing service contracts, commonly used with SaaS providers
- Data Transfer Agreement: Specifically focuses on international data transfers outside the UK and EEA
- Data Protection Addendum: Broader addendum covering both processing and protection obligations
- Intra Group Data Transfer Agreement: Specialized version for data sharing between companies in the same corporate group
Who should typically use a Data Processing Agreement?
- Data Controllers: Organizations that determine how and why personal data is processed - like businesses, charities, or government bodies who own the data and need to share it
- Data Processors: Service providers who handle personal data on behalf of controllers - such as cloud storage companies, payroll providers, or marketing agencies
- Legal Teams: In-house lawyers or external solicitors who draft and review Data Processing Agreements to ensure compliance
- Data Protection Officers: Specialists who oversee data protection compliance and often manage these agreements
- IT and Security Teams: Technical staff who implement the security measures specified in the agreement
How do you write a Data Processing Agreement?
- Identify Data Flows: Map out exactly what personal data will be shared, how it will be used, and who will have access
- Security Requirements: List specific security measures needed based on data sensitivity and processing activities
- Processing Details: Document the purpose, duration, and type of processing activities to be carried out
- Sub-processor Rules: Decide if and how the processor can engage other companies to help with data processing
- Breach Response: Plan how data breaches will be reported and handled between parties
- Compliance Check: Use our platform to generate a customized agreement that includes all UK GDPR-required elements
What should be included in a Data Processing Agreement?
- Processing Details: Clear description of data types, processing purposes, and duration of processing activities
- Security Measures: Specific technical and organizational safeguards to protect personal data
- Confidentiality: Commitments to maintain data secrecy and staff confidentiality obligations
- Sub-processing: Rules and permissions for engaging additional data processors
- Breach Procedures: Notification timelines and response protocols for data incidents
- Data Subject Rights: How to handle access requests and other individual rights
- Return/Deletion: Clear terms for data handling after contract termination
- Compliance Support: Processor's obligations to help demonstrate GDPR compliance
What's the difference between a Data Processing Agreement and a Data Sharing Agreement?
A Data Processing Agreement differs significantly from a Data Sharing Agreement in several key ways. While both deal with personal data, they serve different purposes and create distinct legal relationships.
- Legal Relationship: A DPA establishes a controller-processor relationship where one party processes data on behalf of another. A Data Sharing Agreement creates a controller-to-controller relationship where both parties independently control the data
- Purpose: DPAs focus on outsourced processing activities and security requirements. Data Sharing Agreements govern mutual data exchange between equal partners
- GDPR Requirements: DPAs are mandatory under UK GDPR when using external processors. Data Sharing Agreements are recommended but not legally required
- Scope of Control: In a DPA, the processor must follow the controller's instructions. In a Data Sharing Agreement, each party has autonomous control over their use of the data
Download our whitepaper on the future of AI in Legal
³Ò±ð²Ô¾±±ð’s Security Promise
Genie is the safest place to draft. Here’s how we prioritise your privacy and security.
Your documents are private:
We do not train on your data; ³Ò±ð²Ô¾±±ð’s AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
Our bank-grade security infrastructure undergoes regular external audits
We are ISO27001 certified, so your data is secure
Organizational security
You retain IP ownership of your documents
You have full control over your data and who gets to see it
Innovation in privacy:
Genie partnered with the Computational Privacy Department at Imperial College London
Together, we ran a £1 million research project on privacy and anonymity in legal contracts
Want to know more?
Visit our for more details and real-time security updates.
Read our Privacy Policy.