Data Processing Agreement — UK GDPR (England & Wales)

A Data Processing Agreement — UK GDPR in the United Kingdom is a legally binding written instrument.

The DPA sets out the legal framework governing the relationship between the controller — the organisation that determines the purposes and means of processing — and the processor — the organisation that carries out the processing in accordance with the controller's instructions. Classic processor relationships include cloud hosting providers, SaaS platform operators, payroll bureaux, email marketing agencies, and any software vendor with access to customer or employee data.

Key legislation: UK GDPR (retained EU law), Data Protection Act 2018 (DPA 2018), the UK International Data Transfer Agreement (IDTA) published by the ICO for restricted international transfers, and the Privacy and Electronic Communications Regulations 2003 (PECR) for electronic marketing. The ICO enforces UK data protection law and can impose fines of up to £17.5 million or 4% of global annual turnover (the higher amount) for the most serious infringements.

The United Kingdom Data Processing Agreement — UK GDPR (England & Wales) template creates a thorough DPA that satisfies all eight mandatory requirements of Article 28(3) UK GDPR, addresses sub-processor authorisation in line with Article 28(2), includes provisions for international data transfers using the UK IDTA framework, specifies technical and organisational security measures under Article 32, sets a contractual breach notification deadline to enable the controller to meet the ICO's 72-hour reporting window under Article 33, and provides for data deletion or certified return on termination.

The legal framework governing the Data Processing Agreement — UK GDPR (England & Wales) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Data Processing Agreement — UK GDPR (England & Wales) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The UK General Data Protection Regulation (UK GDPR) sets the foundational requirements.

When engaging a cloud service provider, SaaS platform, or IT services company that will have access to your customers' or employees' personal data — for example, when moving CRM data to Salesforce, hosting employee records in an HR platform, or using a payroll bureau — because UK GDPR Article 28 makes a written DPA a legal prerequisite for any processor engagement.

When an agency, marketing firm, or analytics provider processes personal data on your behalf — such as running email campaigns using your contact list, analysing website traffic data, or processing behavioural data for targeted advertising — to confirm compliance with UK GDPR and PECR and to demonstrate accountability under Article 5(2) UK GDPR.

When sub-contracting any processing activity to a third party — for example, a software developer who has access to a production database, an accountant who processes payroll data, or a call centre that handles customer service records — because the controller remains responsible for the processor's compliance under UK GDPR.

When transferring personal data to a processor based outside the UK — particularly to the United States, India, or other countries without UK adequacy status — because the DPA must incorporate a UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs to provide adequate safeguards under Chapter V UK GDPR.

When responding to an ICO investigation, regulatory audit, or due diligence exercise in the context of a business sale or investment — because demonstrating a compliant DPA is a key element of UK GDPR accountability under Article 5(2) and Schedule 1 DPA 2018.

Without a compliant DPA, the controller and processor both risk ICO enforcement action, civil liability to data subjects under s.169 DPA 2018, and reputational damage. UK GDPR processors are also directly liable for their own breaches under Article 82(2) UK GDPR.

Parties and Roles — Clear identification of the controller (including ICO registration number) and the processor (including Companies House number), their legal form and governing addresses. Establishing the correct controller/processor distinction is fundamental, as the parties bear different legal obligations under UK GDPR.

Principal Agreement Reference — The DPA should be incorporated as a schedule or addendum to the main services agreement, with the DPA prevailing in the event of any conflict on data protection matters.

Article 28(3) Processing Particulars — The mandatory schedule required by UK GDPR Article 28(3) specifying: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data; the categories of data subjects; and the controller's obligations and rights. These must be specific and not generic.

Processing on Instructions Only — The core processor obligation (Article 28(3)(a)): the processor may only process data on documented instructions from the controller, except where required to do so by UK law. This is the foundation of the controller/processor relationship.

Confidentiality of Processing — All personnel authorised to process personal data must be subject to appropriate confidentiality obligations (Article 28(3)(b)), whether contractual or arising from a professional duty.

Technical and Organisational Security Measures — A specific description of the security measures the processor will implement under Article 32 UK GDPR, appropriate to the risk and nature of the processing. This should include both technical controls (encryption, access controls, penetration testing) and organisational measures (policies, staff training, incident response procedures).

Sub-Processor Authorisation — Whether the controller grants general or specific written consent to sub-processors (Article 28(2)), the obligation to impose equivalent DPA terms on each sub-processor, and the processor's continued liability for sub-processor acts.

International Transfer Mechanism — If data is transferred outside the UK, the applicable transfer safeguard (UK adequacy regulations, UK IDTA, UK Addendum to EU SCCs, or ICO-approved binding corporate rules) must be specified, together with any Transfer Risk Assessment obligations.

Personal Data Breach Notification — The contractual notification deadline for the processor to report a breach to the controller (commonly 24–48 hours), which must be short enough for the controller to meet its 72-hour ICO notification obligation under Article 33 UK GDPR.

Data Subject Rights Assistance — The processor's obligation to promptly forward any data subject requests and to assist the controller in responding within UK GDPR time limits (one month, extendable to three months for complex requests under Article 12).

DPIA and Prior Consultation Support — The processor's duty to assist the controller with data protection impact assessments under Article 35 and prior consultation with the ICO under Article 36 where high-risk processing is involved.

Audit and Inspection Rights — The controller's right to audit the processor, subject to reasonable advance notice, to verify compliance with the DPA and UK GDPR obligations (Article 28(3)(h)).

Data Deletion or Return on Termination — The processor's obligation, at the controller's election, to securely delete or return all personal data on termination of the services, and to certify deletion in writing within the agreed period.

Governing Law and Jurisdiction — Confirmation that the DPA is governed by the laws of England and Wales, with the ICO as the competent supervisory authority for UK data protection purposes. The forms-legal.com Data Processing Agreement — UK GDPR (England & Wales) template covers the mandatory elements under UK General Data Protection Regulation (UK GDPR).