Data Processing Agreement (UK)
The UK GDPR requires that all data processing carried out by a processor on
behalf of a controller is carried out under a written contract.
This UK Data Processing Agreement is designed for use in conjunction with a
separate service agreement or other similar contract under which the
services to be provided include the processing of personal data.
This agreement has been written to assist in compliance with the retained
EU law version of the GDPR (the UK GDPR) and the Data Protection Act 2018.
It is designed for use by a UK data processor processing personal data on
behalf of a UK data controller, only within the UK.
Data processing agreements like this are designed to carefully regulate the
activities of processors with respect to personal data. There is a
particular emphasis on their compliance with the applicable legislation –
in this case, with a focus on the UK GDPR. Key features include:
Details of the subject matter, nature, purpose, and duration of the
Details of the type(s) and categories of personal data and data
The processor must act only on written instructions from the
Personnel processing personal data must be subject to obligations of
confidence and be suitably trained;
The processing must take place securely, with suitable organisational
and technical measures in place;
The processor can only subcontract its obligations with the consent of
the controller, and only then under a written contract that imposes the
same obligations on the subcontractor as are imposed on the processor
by the main contract;
The processor must assist controllers in fulfilling their obligations
under the data protection legislation, including those relating to
secure processing, data breaches, impact assessments, and the exercise
by data subjects of their rights;
Personal data must be deleted (or otherwise disposed of) appropriately
by the processor at the end of the contract; and
The processor must comply with audits and other inspections carried out
by the controller in order to verify compliance with the data
protection legislation and with the contract.
Further provisions in this UK Data Processing Agreement govern warranties,
liability and indemnity and, in this case, have been written to strike a
balance between the controller and processor.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This UK Data Processing Agreement contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Requests, Notices, Complaints, and Personal Data Breaches
6. Staff [and Data Protection Officers]
8. Liability and Indemnity
9. Intellectual Property Rights
12. Deletion and/or Disposal of Personal Data
14. Law and Jurisdiction
and the following schedules:
2. Personal Data
3. Technical and Organisational Data Protection Measures
This document is unlocked and in .doc format. Either enter the requisite
details in the highlighted fields or adjust the wording to suit your
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.