Data Processing Agreement (UK to EEA)

This Data Processing Agreement (UK and UK to EEA) is designed for use where a UK data controller appoints a data processor in the United Kingdom or the European Economic Area to process personal data on its behalf.

It provides a written contractual framework for processor arrangements under the UK GDPR and the Data Protection Act 2018, with detailed provisions designed to give both parties clear instructions about the processing of personal data.

The template can be used as a standalone agreement, with the relevant services described in a schedule, or alongside a separate service agreement where data processing forms part of a wider commercial arrangement.

When this agreement is suitable

Use this template where personal data is processed for a UK controller by a processor based in the UK or EEA. Typical examples include outsourced processing involving customer, client, employee, or other business-related personal data.

Transfers from the UK to EEA countries can continue without additional transfer safeguards. Where processing involves transfers to countries outside the EEA, a different template should be used instead: Data Processing Agreement (UK to Non-EEA).

What the agreement covers

This template includes the core controller-processor terms required by UK data protection law, together with broader contractual provisions on risk allocation and compliance.

• the subject matter, nature, purpose, and duration of the processing;
• the categories of personal data and data subjects involved;
• the requirement for the processor to act only on the controller’s written instructions;
• confidentiality obligations for personnel handling personal data;
• security of processing and appropriate technical and organisational measures;
• rules on sub-processing and equivalent obligations for subcontractors;
• assistance with data subject rights, personal data breaches, and data protection impact assessment-related obligations;
• return, deletion, disposal, audit, and information rights; and
• liability and indemnity provisions drafted to strike a balance between controller and processor.

Record-keeping and compliance support

The template also addresses processor record-keeping in clause 13.2. That provision is optional because the UK GDPR only requires certain processors to maintain records of processing activities in specified circumstances, including where the processor has 250 or more employees or where particular higher-risk or non-occasional processing applies.

Even where formal record-keeping is not strictly required, processors must still make available to controllers the information needed to demonstrate compliance. In practice, keeping records may therefore still be useful.

Agreement structure

The document includes clauses dealing with scope, processor obligations, confidentiality, security, data subject rights, personal data breaches, international transfers, subcontracting, return or deletion of data, audits, warranties, liability, termination, notices, and governing law.

It also includes schedules covering the services, the personal data involved, and the technical and organisational data protection measures.

For related templates, see Data Processing Agreement (UK) for UK-only processing arrangements, and International Data Transfer Agreement where additional transfer documentation is needed.

Data Processing Agreement (UK to EEA) is part of Business . Just £38.50 + VAT provides unlimited downloads from Business for 1 year.