Free Data Processing Agreement Template
A data processing agreement sets out the terms under which a data processor handles personal data on behalf of a data controller. Use our free UK template to create a compliant agreement that meets the mandatory requirements of UK GDPR Article 28.
"UK GDPR" means the General Data Protection Regulation as it forms part of domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.
"Data Protection Act 2018" or "DPA 2018" means the Data Protection Act 2018 (as amended).
"Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Sub-processor" have the meanings given to them in UK GDPR.
"ICO" means the Information Commissioner's Office, the UK supervisory authority for data protection.
Duration: For the term of the main services agreement between the parties
Types of personal data: Names; Email addresses; Phone numbers
Categories of data subjects: Customers and clients; Employees and staff
Confidentiality: The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security: The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, in accordance with Article 32 UK GDPR.
Assistance: The Processor shall assist the Controller in responding to data subject access requests, carrying out data protection impact assessments, notifying personal data breaches to the ICO, and responding to ICO consultations.
Encryption of personal data at rest and in transit
Role-based access controls and least-privilege access
Regular backup and recovery testing
Multi-factor authentication for system access
Data Protection Contact (Processor): Sarah Jones, Data Protection Officer
Sub-processors: The Processor shall not engage any sub-processor without the specific prior written consent of the Controller. The Processor shall obtain the Controller's written approval for each individual sub-processor before engaging that sub-processor. Sub-processors must be bound by equivalent data protection obligations to those set out in this Agreement.
The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.
This Agreement is supplemental to and does not replace or supersede the main services agreement. In the event of any conflict with respect to data protection matters, this Agreement shall prevail.
If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
What Is a Data Processing Agreement?
A data processing agreement (DPA) is a legally binding contract between a data controller and a data processor that governs the processing of personal data. It is a mandatory requirement under Article 28 of the UK GDPR whenever a controller engages a third party to process personal data on its behalf.
The agreement must set out the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller. It ensures that processors handle data only on documented instructions from the controller.
Common UK scenarios requiring a DPA include outsourcing payroll processing to British providers, using cloud storage providers, engaging marketing agencies that access customer data, or appointing IT support companies with access to employee records in England and Wales.
What's Covered in This Template
Our data processing agreement template includes all mandatory Article 28 provisions and practical supplementary terms.
Parties and Definitions
Identification of the controller and processor, with clear definitions of key terms used throughout the agreement.
Scope of Processing
Subject matter, duration, nature and purpose of the processing, types of personal data and categories of data subjects.
Controller Instructions
Obligation for the processor to act only on documented instructions from the controller, including for international transfers.
Confidentiality Obligations
Requirements for the processor to ensure that persons authorised to process data are bound by confidentiality obligations.
Security Measures
Technical and organisational measures the processor must implement to protect personal data under Article 32.
Sub-Processing
Conditions for engaging sub-processors, including prior authorisation, contractual requirements and liability.
Data Subject Rights
Obligations to assist the controller in responding to data subject access requests and other rights.
Breach Notification
Requirements for the processor to notify the controller of personal data breaches without undue delay.
International Transfers
Safeguards for transferring personal data outside the UK, including Standard Contractual Clauses or adequacy decisions.
Audit Rights
The controller’s right to conduct audits and inspections of the processor’s data processing activities.
How to Create a Data Processing Agreement
Follow these steps to create a comprehensive and compliant data processing agreement.
- 1
Identify the Parties and Processing
Specify the controller and processor, and describe exactly what personal data will be processed, for what purposes and for how long.
- 2
Set Out Processor Obligations
Include all mandatory Article 28 obligations: acting on instructions, ensuring confidentiality, implementing security measures and assisting with data subject rights.
- 3
Address Sub-Processing
State whether sub-processors are permitted, the authorisation process and the requirement for equivalent contractual protections.
- 4
Include Security and Breach Terms
Specify the technical and organisational security measures required and the process for notifying the controller of any data breaches.
- 5
Review and Execute
Both parties should review the agreement, ensure it accurately reflects the processing relationship and sign it before any processing begins.
Legal Considerations
A data processing agreement must meet specific legal requirements to be compliant with the UK GDPR.
This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.
Reviewed for England & Wales law
Mandatory Article 28 Content
Article 28(3) of the UK GDPR prescribes specific content that must be included in every UK data processing agreement. These mandatory clauses cover instructions, confidentiality, security, sub-processing, data subject rights assistance, breach notification, deletion or return of data, and audit rights — all of which are binding on British processors under English law.
Processor Liability
Under Article 82 of the UK GDPR, a British processor may be directly liable to data subjects for damage caused by processing that infringes UK data protection law. A UK processor is liable for the full extent of the damage unless it can prove it is not responsible for the event giving rise to the damage in England and Wales.
International Transfers
If the processor is located outside the UK or uses sub-processors in third countries, appropriate safeguards must be in place. The UK has its own adequacy regulations and International Data Transfer Agreement (IDTA) which replaced EU Standard Contractual Clauses for UK transfers.
Record-Keeping
Both British controllers and processors are required to maintain records of processing activities under Article 30 of the UK GDPR. The UK data processing agreement should be retained as part of these records and made available to the UK ICO on request in England and Wales.
Frequently Asked Questions
Create Your Data Processing Agreement Now
Ensure your data processing relationships are compliant and clearly documented. Fill in the details, preview your agreement and download it as a PDF in minutes.
Free · Instant PDF · No account required