A Data Processing Agreement (DPA) is a legally binding contract required by Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 whenever a business (the controller) engages a third party (the processor) to process personal data on its behalf. The UK GDPR is the version of the EU GDPR as retained in UK law following Brexit, amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. It applies to all processing of personal data of individuals located in the United Kingdom, regardless of where the processor is based.

The DPA sets out the legal framework governing the relationship between the controller — the organisation that determines the purposes and means of processing — and the processor — the organisation that carries out the processing in accordance with the controller's instructions. Classic processor relationships include cloud hosting providers, SaaS platform operators, payroll bureaux, email marketing agencies, and any software vendor with access to customer or employee data.

Key legislation: UK GDPR (retained EU law), Data Protection Act 2018 (DPA 2018), the UK International Data Transfer Agreement (IDTA) published by the ICO for restricted international transfers, and the Privacy and Electronic Communications Regulations 2003 (PECR) for electronic marketing. The ICO enforces UK data protection law and can impose fines of up to £17.5 million or 4% of global annual turnover (the higher amount) for the most serious infringements.

This template creates a comprehensive DPA that satisfies all eight mandatory requirements of Article 28(3) UK GDPR, addresses sub-processor authorisation in line with Article 28(2), includes provisions for international data transfers using the UK IDTA framework, specifies technical and organisational security measures under Article 32, sets a contractual breach notification deadline to enable the controller to meet the ICO's 72-hour reporting window under Article 33, and provides for data deletion or certified return on termination.

When engaging a cloud service provider, SaaS platform, or IT services company that will have access to your customers' or employees' personal data — for example, when moving CRM data to Salesforce, hosting employee records in an HR platform, or using a payroll bureau — because UK GDPR Article 28 makes a written DPA a legal prerequisite for any processor engagement.

When an agency, marketing firm, or analytics provider processes personal data on your behalf — such as running email campaigns using your contact list, analysing website traffic data, or processing behavioural data for targeted advertising — to ensure compliance with UK GDPR and PECR and to demonstrate accountability under Article 5(2) UK GDPR.

When sub-contracting any processing activity to a third party — for example, a software developer who has access to a production database, an accountant who processes payroll data, or a call centre that handles customer service records — because the controller remains responsible for the processor's compliance under UK GDPR.

When transferring personal data to a processor based outside the UK — particularly to the United States, India, or other countries without UK adequacy status — because the DPA must incorporate a UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs to provide adequate safeguards under Chapter V UK GDPR.

When responding to an ICO investigation, regulatory audit, or due diligence exercise in the context of a business sale or investment — because demonstrating a compliant DPA is a key element of UK GDPR accountability under Article 5(2) and Schedule 1 DPA 2018.

Without a compliant DPA, the controller and processor both risk ICO enforcement action, civil liability to data subjects under s.169 DPA 2018, and reputational damage. UK GDPR processors are also directly liable for their own breaches under Article 82(2) UK GDPR.

Parties and Roles — Clear identification of the controller (including ICO registration number) and the processor (including Companies House number), their legal form and governing addresses. Establishing the correct controller/processor distinction is fundamental, as the parties bear different legal obligations under UK GDPR.

Principal Agreement Reference — The DPA should be incorporated as a schedule or addendum to the main services agreement, with the DPA prevailing in the event of any conflict on data protection matters.

Article 28(3) Processing Particulars — The mandatory schedule required by UK GDPR Article 28(3) specifying: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data; the categories of data subjects; and the controller's obligations and rights. These must be specific and not generic.

Processing on Instructions Only — The core processor obligation (Article 28(3)(a)): the processor may only process data on documented instructions from the controller, except where required to do so by UK law. This is the foundation of the controller/processor relationship.

Confidentiality of Processing — All personnel authorised to process personal data must be subject to appropriate confidentiality obligations (Article 28(3)(b)), whether contractual or arising from a professional duty.

Technical and Organisational Security Measures — A specific description of the security measures the processor will implement under Article 32 UK GDPR, appropriate to the risk and nature of the processing. This should include both technical controls (encryption, access controls, penetration testing) and organisational measures (policies, staff training, incident response procedures).

Sub-Processor Authorisation — Whether the controller grants general or specific written consent to sub-processors (Article 28(2)), the obligation to impose equivalent DPA terms on each sub-processor, and the processor's continued liability for sub-processor acts.

International Transfer Mechanism — If data is transferred outside the UK, the applicable transfer safeguard (UK adequacy regulations, UK IDTA, UK Addendum to EU SCCs, or ICO-approved binding corporate rules) must be specified, together with any Transfer Risk Assessment obligations.

Personal Data Breach Notification — The contractual notification deadline for the processor to report a breach to the controller (commonly 24–48 hours), which must be short enough for the controller to meet its 72-hour ICO notification obligation under Article 33 UK GDPR.

Data Subject Rights Assistance — The processor's obligation to promptly forward any data subject requests and to assist the controller in responding within UK GDPR time limits (one month, extendable to three months for complex requests under Article 12).

DPIA and Prior Consultation Support — The processor's duty to assist the controller with data protection impact assessments under Article 35 and prior consultation with the ICO under Article 36 where high-risk processing is involved.

Audit and Inspection Rights — The controller's right to audit the processor, subject to reasonable advance notice, to verify compliance with the DPA and UK GDPR obligations (Article 28(3)(h)).

Data Deletion or Return on Termination — The processor's obligation, at the controller's election, to securely delete or return all personal data on termination of the services, and to certify deletion in writing within the agreed period.

Governing Law and Jurisdiction — Confirmation that the DPA is governed by the laws of England and Wales, with the ICO as the competent supervisory authority for UK data protection purposes.