(UK GDPR)
Create your data processing agreement with processing details, security measures, sub-processor controls, and audit rights.
Professionally drafted — structured following UK GDPR Article 28 requirements for England and Wales.
Download a professionally drafted data processing agreement template for UK businesses sharing personal data with processors. Also known as a DPA, data processor agreement, or Article 28 agreement. Covers processing purposes, data categories, security measures, sub-processor controls, data breach notification, international transfers, audit rights, and data subject access requests. Structured following UK GDPR Article 28 requirements for England and Wales.
Whether you prefer step-by-step guidance or a traditional form, both methods produce the identical professionally-formatted DPA. Choose the style that suits you.
One screen at a time — less overwhelming, nothing missed.
Everything on one page — faster if you know what you need.
🔒 Your data never leaves your device — saved locally in your browser only
♻️ Unlimited use — generate agreements for every processor relationship
Required by UK GDPR whenever you share personal data with third-party processors — from email marketing to cloud storage.
What UK GDPR requires when you share data with processors
Document what data is processed, why, and for how long — required for accountability.
Specify technical and organisational measures to protect personal data.
Retain ability to verify processor compliance through audits and inspections.
UK GDPR Article 28 requires a written data processing agreement between controllers and processors — setting out the subject matter, duration, nature and purpose of processing, data categories, and obligations of both parties.
UK GDPR Article 28(3) specifies mandatory provisions for data processing agreements. Your DPA must include:
Our template includes all Article 28 requirements with clear guidance.
Under UK GDPR, the controller determines the purposes and means of processing personal data, while the processor acts on the controller's instructions — misidentifying roles can lead to ICO enforcement action and fines of up to £17.5 million.
This DPA template covers processing scope and purpose, data categories, security measures, sub-processor controls, data breach notification procedures, international transfer safeguards, audit rights, data subject access request handling, and termination provisions.
Related documents: Businesses typically also need Privacy Policy, Cookie Policy, and Terms & Conditions.
Common DPA mistakes include failing to specify processing purposes, omitting sub-processor controls, not addressing international data transfers, using generic security measures instead of appropriate technical and organisational safeguards, and forgetting data breach notification timelines.
Our template covers all requirements with clear, structured clauses.
A Data Processing Agreement (DPA) is a recognised contract between a data controller and a data processor.
The controller is the organisation that determines why and how personal data is processed. The processor is a third party that processes data on the controller's behalf.
It's required under UK GDPR Article 28 whenever you share personal data with external providers like email marketing platforms, cloud storage, or payroll services.
You need a DPA whenever you use third-party services that process personal data on your behalf. Common examples include:
• Email marketing platforms (Mailchimp, Klaviyo)
• Cloud storage providers (AWS, Google Cloud)
• Payroll services
• CRM systems (Salesforce, HubSpot)
• Website hosting
• Payment processors
• Outsourced IT or customer service
If they're handling personal data for you, you need a DPA.
UK GDPR Article 28 requires specific provisions including: subject matter and duration of processing, nature and purpose of processing, types of personal data, categories of data subjects, controller's obligations and rights, processor's obligations regarding confidentiality, sub-processors, security measures, assistance with data subject rights, audit rights, and data deletion/return requirements.
Our template includes all mandatory provisions with clear guidance.
Failing to have appropriate DPAs in place is a UK GDPR violation.
The ICO can issue fines up to £8.7 million or 2% of global turnover (lower tier) for administrative failures like missing DPAs.
For more serious breaches involving the processing itself, fines can reach £17.5 million or 4% of turnover.
The controller is the organisation that decides WHY and HOW personal data is processed — typically your business.
The processor is the third party that processes data ON YOUR BEHALF following your instructions — such as your email marketing provider or cloud hosting service.
In a DPA, you're usually the controller and your supplier is the processor.
You receive free lifetime updates — no subscription required, no monthly fees, ever.
We monitor ICO guidance and UK GDPR developments. When we release an updated version, it appears free in your My Templates page. No extra charges. No recurring fees.
You receive free lifetime updates — no subscription required, no monthly fees, ever.
We monitor ICO guidance and UK GDPR developments. When we release an updated version, it appears free in your My Templates page. No extra charges. No recurring fees.
£20 one-time. That's it. No subscriptions, no recurring fees, no "free trial" traps.
Here's what we don't do: Other sites advertise "free templates" — you spend 15 minutes filling one in, then they demand your card for a "free trial" that charges £35–£42/month when you forget to cancel. Worse, many are US-based with American terminology that doesn't apply to UK GDPR. (Read about the scam)
We're different: £20 upfront for the document you actually need. Build it, preview it, pay only when you're happy. Own it forever with free lifetime updates. Based on UK GDPR. No subscription fatigue.
Stay Informed. Stay Compliant. Get key updates on UK law and compliance changes, straight to your inbox.