Home / Business Essentials / Data Processing Agreement

Data Processing Agreement Template (UK)
Create Your Professional Contract in Minutes

Generate your complete UK Data Processing Agreement, reviewed by legal professionals, using either our Smart Interview or Expert Editor. Both methods produce the same professional contract, ready to download instantly.

Limited Time Offer One-time payment: £10
✓ Lifetime access • ✓ Fully editable • ✓ Updated for UK law • ✓ Instant download
Backed by a 30-day money-back guarantee. Preview the full contract before purchase — see every clause with watermark.

Choose how you want to create your contract

Select your preferred method below — both methods build the same compliant contract, so you're simply choosing how you want to work.

Recommended

Smart Interview

Answer simple guided questions and we'll build your full data processing agreement automatically. Perfect if you want a clear, step-by-step process with no legal knowledge required.

Completion Time
8 minutes

Expert Editor (Fastest)

See all fields instantly and edit your contract directly with live preview updates. Ideal if you want full control and faster completion.

Completion Time
4 minutes
GDPR Requirement

Why You Need a Data Processing Agreement

GDPR Article 28 mandates written Data Processing Agreements between data controllers and processors

⚖️

Legal Requirement

GDPR Article 28 and UK Data Protection Act 2018 require written contracts with data processors covering specific obligations.

🛡️

Avoid ICO Fines

Missing or inadequate DPAs can result in fines up to £17.5 million or 4% of annual turnover for non-compliance.

Protect Your Business

Clearly defines processor obligations, limits liability, and ensures data protection accountability.

📋

What Must Be Included (GDPR Article 28 Requirements)

Under GDPR Article 28 and UK Data Protection Act 2018, your Data Processing Agreement must include:

  • Subject matter and duration: Clear description of processing activities and agreement term
  • Nature and purpose of processing: Detailed explanation of what processing will occur and why
  • Type of personal data: Categories of personal data being processed (names, emails, addresses, etc.)
  • Categories of data subjects: Who the data relates to (customers, employees, website visitors, etc.)
  • Controller obligations and rights: Instructions for processing and controller's audit rights
  • Processor obligations: Including confidentiality, security measures, sub-processor requirements, data subject rights assistance, breach notification, deletion/return of data
  • Security measures: Technical and organisational measures (encryption, access controls, etc.)
  • Sub-processor requirements: Written authorization for sub-processors and flow-down obligations
  • International transfers: Safeguards for transfers outside UK/EEA (if applicable)
  • Breach notification: Obligation to notify controller without undue delay
  • Data subject rights: Assistance with access requests, erasure, portability, etc.
  • Audit rights: Controller's right to audit processor's compliance
  • Deletion or return: Obligation to delete or return data at end of processing

Our template includes all mandatory Article 28 provisions for full GDPR compliance.

⚠️

Penalties for Non-Compliance

ICO Enforcement Powers:

  • Tier 2 administrative fines: Up to £17.5 million or 4% of annual global turnover (whichever is higher) for Article 28 violations
  • Joint and several liability: Both controller and processor can be liable for GDPR breaches
  • Enforcement notices: ICO can order immediate compliance and corrective actions
  • Processing bans: ICO can prohibit specific processing activities
  • Compensation claims: Data subjects can sue for damages caused by non-compliant processing
  • Audits and investigations: ICO can conduct detailed audits of processing arrangements

Real ICO Actions:

British Airways (£20m fine) and Marriott (£18.4m fine) both involved processor relationships without adequate contractual safeguards. The ICO specifically identified missing or inadequate Data Processing Agreements as contributing factors.

Every data controller using third-party processors MUST have compliant DPAs in place.

Get compliant today for just £10.

🎯

What's Included in Our Template

Full GDPR Article 28 & UK DPA 2018 Compliance:

  • ✓ Comprehensive definitions (Controller, Processor, Data Subject, Personal Data, Processing, etc.)
  • ✓ Subject matter, nature, purpose, and duration clause
  • ✓ Types of personal data and categories of data subjects
  • ✓ Controller instructions and obligations
  • ✓ Processor obligations (confidentiality, security, assistance, notification)
  • ✓ Technical and organisational security measures (TOMs)
  • ✓ Sub-processor authorization and requirements
  • ✓ International data transfer safeguards (Standard Contractual Clauses references)
  • ✓ Data subject rights assistance obligations
  • ✓ Personal data breach notification procedures
  • ✓ Data Protection Impact Assessment (DPIA) assistance
  • ✓ Audit and inspection rights
  • ✓ Deletion or return of personal data
  • ✓ Records of processing activities
  • ✓ Processor warranties and representations
  • ✓ Liability and indemnification clauses
  • ✓ Term and termination provisions
  • ✓ Governing law (England & Wales / Scotland / Northern Ireland)

Professional, legally sound, and ready to sign.

Common Mistakes to Avoid

Don't Fall Into These Traps:

  • No written DPA at all: Verbal agreements or email exchanges do NOT satisfy GDPR requirements. You must have a written, signed contract.
  • Using processor's generic terms: Third-party processors often provide inadequate DPAs that don't meet Article 28. Controllers must ensure full compliance.
  • Missing mandatory clauses: Every Article 28(3) requirement must be explicitly addressed. Missing even one clause = non-compliance.
  • Vague processing instructions: "Process as necessary" is insufficient. Instructions must be specific, documented, and lawful.
  • No sub-processor controls: Processors must obtain prior written authorization before engaging sub-processors. Flow-down obligations are mandatory.
  • Inadequate security measures: Must specify actual technical and organisational measures (encryption, access controls, etc.), not just "appropriate security".
  • Missing breach notification timelines: Must specify "without undue delay" notification requirement to controller.
  • No audit rights: Controllers must retain rights to audit and inspect processor's data protection practices.
  • Forgetting data deletion: Must require return or deletion of personal data at end of processing.
  • Using US DPA templates: US data processing agreements don't include GDPR-specific requirements and won't protect you.
  • No international transfer safeguards: If processor uses servers outside UK/EEA, must include Standard Contractual Clauses or equivalent.

Our template prevents all these mistakes with comprehensive GDPR-compliant clauses.

🔗 Official Government & Regulatory Resources
📘 ICO: Contracts & Processors 📄 ICO: Accountability & Contracts ⚖️ UK Data Protection Act 2018 🌍 EU: Standard Contractual Clauses

Quick Comparison

🎯
Best For
Smart Interview for first-time users, Expert Editor for repeat customers
📄
Final Document
Both create identical GDPR-compliant DPAs
💰
Price
Same price: £10 for either method

Frequently Asked Questions

Is a Data Processing Agreement legally required under GDPR?

Yes. GDPR Article 28(3) and UK Data Protection Act 2018 Section 59 mandate that data controllers MUST have a written contract with every data processor. This is not optional - it's a legal requirement. The contract must be in writing (or electronic form) and include all mandatory provisions specified in Article 28(3). Failure to have compliant DPAs is a direct violation of GDPR.

When do I need a Data Processing Agreement?

You need a DPA whenever you engage a third party to process personal data on your behalf. Common examples: email marketing services (Mailchimp, SendGrid), cloud hosting providers (AWS, Azure), payment processors (Stripe, PayPal), CRM systems (Salesforce, HubSpot), analytics tools (Google Analytics), customer support platforms (Zendesk, Intercom), and any contractor or agency accessing customer data. If they process personal data under your instructions, you need a DPA.

What's the difference between a controller and a processor?

A data controller determines the purposes and means of processing personal data (e.g., "We'll collect customer emails to send marketing newsletters"). A data processor processes personal data on behalf of the controller under their instructions (e.g., the email service provider sending those newsletters). Controllers have primary GDPR compliance obligations. Processors must follow controller instructions and implement specific security measures. The DPA defines this relationship and obligations.

Can I use the processor's standard DPA template?

Many large processors (AWS, Google, Microsoft) provide their own DPA templates. While these are often compliant, you should review them carefully to ensure they meet all Article 28 requirements and protect your interests as the controller. Smaller processors may not provide adequate DPAs, requiring you to provide your own. As the controller, you're ultimately responsible for ensuring compliant DPAs are in place - you cannot delegate this obligation.

Why We Offer Two Methods

Different users prefer different approaches. Some like guided assistance to ensure nothing is missed, while others prefer seeing everything at once for faster completion. We've created both options to match your working style. The final Data Processing Agreement is identical regardless of which method you choose.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by