Data Processing Agreement (UK)
The UK GDPR requires that all data processing carried out by a processor on behalf of a controller is carried out under a written contract.
This UK Data Processing Agreement is designed for use in conjunction with a separate service agreement or other similar contract under which the services to be provided include the processing of personal data.
This agreement has been written to assist in compliance with the retained EU law version of the GDPR (the UK GDPR) and the Data Protection Act 2018. It is designed for use by a UK data processor processing personal data on behalf of a UK data controller, only within the UK.
Data processing agreements like this are designed to carefully regulate the activities of processors with respect to personal data. There is a particular emphasis on their compliance with the applicable legislation – in this case, with a focus on the UK GDPR. Key features include:
- Details of the subject matter, nature, purpose, and duration of the data processing;
- Details of the type(s) and categories of personal data and data subjects;
- The processor must act only on written instructions from the controller;
- Personnel processing personal data must be subject to obligations of confidence and be suitably trained;
- The processing must take place securely, with suitable organisational and technical measures in place;
- The processor can only subcontract its obligations with the consent of the controller, and only then under a written contract that imposes the same obligations on the subcontractor as are imposed on the processor by the main contract;
- The processor must assist controllers in fulfilling their obligations under the data protection legislation, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights;
- Personal data must be deleted (or otherwise disposed of) appropriately by the processor at the end of the contract; and
- The processor must comply with audits and other inspections carried out by the controller in order to verify compliance with the data protection legislation and with the contract.
Further provisions in this UK Data Processing Agreement govern warranties, liability and indemnity and, in this case, have been written to strike a balance between the controller and processor.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This UK Data Processing Agreement contains the following clauses:
1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Requests, Notices, Complaints, and Personal Data Breaches
6. Staff [and Data Protection Officers]
8. Liability and Indemnity
9. Intellectual Property Rights
12. Deletion and/or Disposal of Personal Data
14. Law and Jurisdiction
and the following schedules:
2. Personal Data
3. Technical and Organisational Data Protection Measures
This document is unlocked and in .doc format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.