Data Processing Agreement Template (UK and EEA Processors)

Data Processing Agreement (UK/EEA) (GDPR-Ready)

BS.DAT.PR.01

The GDPR requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract.

This Data Processing Agreement (UK/EEA) is designed for use in situations where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor within the UK or EEA to hold and/or process that personal data on its behalf.

Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with – in this case – the GDPR. Key features required (and included in this template) include:

  • Details of the subject matter, nature, purpose, and duration of the data processing;
  • Details of the type(s) and categories of personal data and data subjects;
  • Processors must act only on written instructions from controllers;
  • Personnel processing personal data must be subject to obligations of confidence;
  • The processing must take place securely, with suitable organisational and technical measures in place;
  • Processors can only sub-contract (to “sub-processors” in this case) with the consent of the controller, and only then under a written contract that imposes the same obligations on the sub-processor as are imposed on the processor by the main contract;
  • Processors must assist controllers in fulfilling their GDPR obligations, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights under the GDPR;
  • Personal data must be deleted (or otherwise disposed of) appropriately by processors at the end of the contract; and
  • Processors must comply with audits and other inspections carried out by the controller in order to verify compliance with the GDPR and the contract.

Further provisions in this Data Processing Agreement govern liability and indemnity and, in this case, have been written to strike a balance between the data controller and data processor.

Please note that this agreement is only for use where the data controller engages the data processor to carry out services for it which will entail processing personal data where there is no “external” element, i.e. all of the data stays with the data controller and the data processor. For example, there would be no external element if the data processor is engaged only to provide services (such as IT or administrative services) which does not involve any disclosure or external use of any personal data by the data processor. The template is not suitable for use where, for example, where a data processor is engaged to use name lists and other personal data to carry out marketing for the data controller.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Processing Agreement (UK/EEA) contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Access, Complaints, and Breaches
6. [Appointment of a Data Protection Officer]
7. Liability and Indemnity
8. Intellectual Property Rights
9. Confidentiality
10. Appointment of Sub-Processors
11. Deletion and/or Disposal of Personal Data
12. [Consideration]
13. Law and Jurisdiction

and the following schedules:
1. Services
2. Personal Data
3. Technical and Organisational Data Protection Measures

This Data Processing Agreement is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.

Top