Data Processing Agreement Template (EEA Processors)

Data Processing Agreement (EEA)


This document is currently awaiting an update for compatibility with the UK GDPR and the UK's new status as a "third country" outside the European Union. This document will be updated shortly, following new guidance from the Information Commissioner.

The GDPR requires that all data processing carried out by a data processor on behalf of a data controller is carried out under a written contract.

This Data Processing Agreement (UK/EEA) is designed for use in situations where a data controller in the UK collects and uses personal data (about its customers or staff, for example), and wishes to engage a data processor within the UK or EEA to hold and/or process that personal data on its behalf.

Data processing agreements are designed to carefully regulate the activities of data processors with respect to personal data, with a particular emphasis on their compliance with – in this case – the GDPR. Key features required (and included in this template) include:

  • Details of the subject matter, nature, purpose, and duration of the data processing;
  • Details of the type(s) and categories of personal data and data subjects;
  • Processors must act only on written instructions from controllers;
  • Personnel processing personal data must be subject to obligations of confidence;
  • The processing must take place securely, with suitable organisational and technical measures in place;
  • Processors can only sub-contract (to “sub-processors” in this case) with the consent of the controller, and only then under a written contract that imposes the same obligations on the sub-processor as are imposed on the processor by the main contract;
  • Processors must assist controllers in fulfilling their GDPR obligations, including those relating to secure processing, data breaches, impact assessments, and the exercise by data subjects of their rights under the GDPR;
  • Personal data must be deleted (or otherwise disposed of) appropriately by processors at the end of the contract; and
  • Processors must comply with audits and other inspections carried out by the controller in order to verify compliance with the GDPR and the contract.

Further provisions in this Data Processing Agreement govern liability and indemnity and, in this case, have been written to strike a balance between the data controller and data processor.

Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.

This Data Processing Agreement (UK/EEA) contains the following clauses:

1. Definitions and Interpretation
2. Scope and Application of this Agreement
3. Provision of the Services and Processing Personal Data
4. Data Protection Compliance
5. Data Subject Access, Complaints, and Breaches
6. [Appointment of a Data Protection Officer]
7. Liability and Indemnity
8. Intellectual Property Rights
9. Confidentiality
10. Appointment of Sub-Processors
11. Deletion and/or Disposal of Personal Data
12. [Consideration]
13. Law and Jurisdiction


and the following schedules:

1. Services
2. Personal Data
3. Technical and Organisational Data Protection Measures


This Data Processing Agreement is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.