Trustpilot
E-Sign Banner
ISO 27001 Certified
Welcome to Simply-Docs
Corporate
Employment
Health & Safety
Property
Samples & Free
Business
IT & Software
IT & Data Protection Policies
Download

Data Processing Agreement (UK to Non-EEA)

TR.DAT.05

This Data Processing Agreement (UK to Non-EEA) is designed for use where a UK data controller appoints a data processor located outside the European Economic Area to process personal data on its behalf.

It provides the written controller-processor contract required by the UK GDPR and the Data Protection Act 2018, and is structured for use in international processing arrangements where additional transfer rules may also apply.

The agreement can be used as a standalone document, with the relevant services described in a schedule, or alongside a separate service agreement where data processing forms part of a broader commercial relationship.

When to use this agreement

Use this template where a UK controller is engaging a processor in a third country. It is intended for arrangements involving personal data such as customer, client, or employee data, and is designed to address both the Article 28(3) UK GDPR contract requirements and the wider issues that arise when processing takes place outside the UK and EEA.

If your processor is located in the UK or EEA, the more appropriate template is Data Processing Agreement (UK to EEA).

International transfers and the IDTA

This template is compatible with the ICO’s International Data Transfer Agreement. For UK to non-EEA transfers, the ICO provides two options for data exporters: the IDTA or the ICO’s International Data Transfer Addendum to the EU Commission’s current Standard Contractual Clauses.

Where a transfer to a non-EEA country requires such clauses, the completed clauses should be attached to this agreement as a schedule. This template is designed to work with those additional transfer safeguards, not to replace them.

Transfers from the UK to EEA countries may continue unrestricted. Personal data may also be transferred to countries covered by adequacy regulations, including partial findings of adequacy where applicable.

Other safeguards may also be available depending on the circumstances, including binding corporate rules, contractual clauses authorised by the ICO, approved codes of conduct, or certification under an approved certification mechanism.

What the agreement covers

This template includes the key controller-processor terms required by UK data protection law, together with additional provisions aimed at allocating responsibilities clearly between the parties.

  • the subject matter, nature, purpose, and duration of the processing;
  • the types of personal data, categories of data subjects, and the processor’s obligation to act only on written instructions;
  • confidentiality obligations for personnel handling personal data;
  • security of processing and appropriate technical and organisational measures;
  • subcontracting controls and equivalent obligations for sub-processors;
  • assistance with data subject rights, personal data breaches, impact assessments, and related compliance duties;
  • return, deletion, or disposal of personal data at the end of the arrangement;
  • audit and information rights; and
  • liability and indemnity provisions intended to strike a balance between controller and processor.

Record-keeping and schedules

The template also addresses processor record-keeping in clause 13.2. That provision is optional because the UK GDPR only requires certain processors to keep records of processing activities in specified circumstances, including where the processor has 250 or more employees or where the processing is high risk, not occasional, or involves special category data or criminal convictions and offences data.

Even where formal record-keeping is not strictly required, processors must still make available to controllers the information needed to demonstrate compliance. Keeping records may therefore still be useful in practice.

The agreement includes clauses dealing with scope, processor obligations, confidentiality, security, data subject rights, personal data breaches, cross-border transfers, subcontracting, return or deletion of data, audits, warranties, liability, termination, notices, and governing law.

It also includes schedules covering the services, the personal data involved, technical and organisational data protection measures, the legal basis for processing personal data outside the EEA, and a blank schedule for inserting the completed IDTA or other appropriate standard contractual clauses.

Important legal point

❗ Please note that transferring personal data to territories outside of the UK or EEA is a highly complex legal area. This template has been designed to assist in compliance with the UK’s data protection legislation when processing personal data in third countries, but obtaining legal advice is strongly recommended. The ICO also provides help and guidance for SMEs.

Data Processing Agreement (UK to Non-EEA) is part of Business . Just £38.50 + VAT provides unlimited downloads from Business for 1 year.

Download
Business Buy Only £38.50 + VAT!
Unlimited Downloads for One Year
No Auto-Renewal
All IT & Data Protection Policies
All IT & Software

Simply-4-Business Ltd Registered in England and Wales No. 4868909, 20 Mortlake High Street, Mortlake, London SW14 8JN

Trustpilot
Top