Data Processor Agreement (UK/EEA)

Data Processing Agreement - Personal Data Security (UK/EEA)


This Data Processing Agreement - Personal Data Security (UK/EEA) template is designed to be used where a data controller within the UK/EEA collects and uses personal data (e.g. of its customers and staff), and it engages a data processor within the UK/EEA to hold/process that personal data (and any other data) for the data controller.

Schedule 1 to the Data Protection Act 1998 sets out the Data Protection Principles to be followed by a data controller.

It also states in particular that where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless the processing is:

  1. Carried out under a contract which is made or evidenced in writing;
  2. Under which the data processor is to act only on instructions from the data controller; and
  3. The contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

This form of agreement is designed to regulate what the data processor may/must do with the personal data, and how it may/must do so. This document meets the above requirements of the Data Protection Act 1998.

The new General Data Protection Regulation will require the UK Government to amend the 1998 Act. This is unlikely, however, to require data controllers engaging data processors to adopt other measures instead of an Agreement such as this Data Processing Agreement. Nor is it likely that the amendments to the Act will require this template to be amended but if in due course it becomes apparent that amendments to the 1998 Act do necessitate changes to this template, we will make them promptly.

This agreement template is only for use where the data controller engages the data processor to carry out services for it which will entail processing personal data where there is no “external” element, i.e. all of the data stays with the data controller and the data processor. For example, there would be no external element if the data processor is engaged only to provide services (such as IT or administrative services) which does not involve any disclosure or external use of any personal data by the data processor. The template is not suitable for use where, for example, where a data processor is engaged to use name lists and other personal data to carry out marketing for the data controller.

This document is in open format.

Once you have purchased access to the appropriate document folder click on the “Download Document” button below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.