When is a data processing agreement required?

A DPA is required under Article 28 of the UK GDPR whenever a data controller engages a data processor to process personal data on its behalf. Common examples include outsourced payroll, cloud hosting, email marketing services, customer support outsourcing, and IT support providers. If a third party processes personal data on your instructions, you need a DPA.

What is the difference between a controller and a processor?

A controller determines the purposes and means of processing personal data — they decide why and how data is processed. A processor processes personal data on behalf of the controller — they carry out the processing according to the controller's instructions. For example, a company (controller) that uses an external payroll provider (processor) to process employee salaries.

What must a DPA include?

Article 28(3) of the UK GDPR requires a DPA to include: processing only on documented instructions; confidentiality obligations; security measures; sub-processor restrictions; assistance with data subject rights; assistance with security obligations; data deletion or return at the end of the contract; and audit rights. This template covers all eight requirements.

How quickly must a processor notify the controller of a data breach?

The UK GDPR does not specify an exact timeframe for processor-to-controller notification, but Article 33(2) requires notification 'without undue delay'. Since the controller must then notify the ICO within 72 hours, it is standard practice to require the processor to notify within 24 or 48 hours to give the controller enough time to assess and report the breach.

Can a processor use sub-processors?

Only with the controller's authorisation. Article 28(2) allows two approaches: prior specific authorisation (the controller approves each sub-processor individually) or general written authorisation (the controller gives a general approval, but the processor must inform the controller of any changes and give them the opportunity to object). The DPA must specify which approach applies.

What happens if the processor breaches the DPA?

The controller may have contractual remedies (termination, damages) under the DPA. Additionally, under Article 82 of the UK GDPR, a processor may be directly liable to data subjects for damage caused by processing that infringes the regulation. The ICO can also take enforcement action directly against processors, including fines of up to £17.5 million or 4% of annual global turnover.

Free Data Processing Agreement Template (UK GDPR)

A data processing agreement (DPA), also known as a data processing addendum, is a legally binding contract required under Article 28 of the UK General Data Protection Regulation (UK GDPR) whenever a.

FreePDF & Word

Your data stays on your device — nothing is sent to any server.

parties

Data Controller Name*

Data Controller Address*

Data Processor Name*

Data Processor Address*

processing

Purpose of Processing*

Categories of Personal Data*

Categories of Data Subjects*

security

Technical and Organisational Security Measures*

Are Sub-Processors Engaged?*

Breach Notification Period*

The UK GDPR requires notification to the ICO within 72 hours. The processor should notify the controller sooner.

execution

Date of Agreement*

Document Preview

DATA PROCESSING AGREEMENT pursuant to Article 28 of the UK General Data Protection Regulation DATE: [date] BETWEEN: (1) [controllerName] of [controllerAddress] (the "Controller"); and (2) [processorName] of [processorAddress] (the "Processor"). 1. BACKGROUND 1.1 The Controller has engaged the Processor to provide certain services that involve the processing of personal data on behalf of the Controller. 1.2 This Data Processing Agreement ("DPA") sets out the terms on which the Processor will process personal data on behalf of the Controller, in compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 2. DEFINITIONS 2.1 "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Personal Data Breach" have the meanings given to them in the UK GDPR. 3. SCOPE OF PROCESSING 3.1 Purpose of processing: [processingPurpose] 3.2 Categories of personal data: [dataCategories] 3.3 Categories of data subjects: [dataSubjects] 3.4 Duration: The Processor shall process personal data for the duration of the service agreement between the parties, unless otherwise agreed in writing. 4. PROCESSOR OBLIGATIONS 4.1 The Processor shall: (a) process the personal data only on documented instructions from the Controller, unless required to do so by law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless the law prohibits such disclosure); (b) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) take all measures required pursuant to Article 32 of the UK GDPR (security of processing), including the following technical and organisational measures: [securityMeasures] (d) not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller; (e) assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subjects' rights under Chapter III of the UK GDPR; (f) assist the Controller in ensuring compliance with the obligations under Articles 32-36 of the UK GDPR, taking into account the nature of processing and the information available to the Processor; (g) at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law; (h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. 5. SUB-PROCESSORS 5.1 The Controller authorises the use of the following sub-processors: [subProcessors] 5.2 The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations. 5.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object. 6. PERSONAL DATA BREACH 6.1 The Processor shall notify the Controller of any Personal Data Breach within [breachNotificationPeriod] of becoming aware of it. 6.2 The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to mitigate the breach. 7. AUDIT RIGHTS 7.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections. 7.2 Audits shall be conducted with reasonable notice and during normal business hours. 8. GOVERNING LAW 8.1 This DPA shall be governed by and construed in accordance with the laws of England and Wales. SIGNED: For and on behalf of the Controller: ___________________________ Name: Position: Date: [date] For and on behalf of the Processor: ___________________________ Name: Position: Date: [date]

Important Notes

Legal Disclaimer

This data processing agreement is required by Article 28(3) of the UK GDPR, which mandates that processing by a processor must be governed by a contract that sets out specific terms. The UK GDPR is the retained version of the EU GDPR (Regulation (EU) 2016/679), as incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). Article 28(3) lists eight mandatory provisions that must be included. Article 32 requires both controllers and processors to implement appropriate technical and organisational security measures. Article 33 requires controllers to notify the ICO of personal data breaches within 72 hours — the processor must therefore notify the controller promptly to enable compliance. The ICO has published guidance on contracts and liabilities between controllers and processors, available at ico.org.uk.

This template is provided for informational purposes only and does not constitute legal advice. For complex legal matters, we recommend consulting a qualified solicitor.

Free Data Processing Agreement Template (UK GDPR)

Important Notes

Frequently Asked Questions

Related Templates