Data Processing Agreement — UK GDPR (England & Wales)
This Data Processing Agreement (the “Agreement” or “DPA”) is entered into on [Effective Date] (the “Effective Date”) by and between:
[Controller Name], [Who Controller], with its registered or principal address at [Controller Address], [Controller City], [Controller Postcode], England and Wales (Companies House No. [Controller Reg No.]; ICO Registration No. [Controller ICO No.]) (the “Controller”); and
[Processor Name], [Who Processor], with its registered or principal address at [Processor Address], [Processor City], [Processor Postcode], England and Wales (Companies House No. [Processor Reg No.]) (the “Processor”).
The Controller and the Processor are referred to collectively as the “Parties” and individually as a “Party”.
BACKGROUND
A. The Controller and the Processor have entered into, or are entering into, the [Main Contract Name] (the “Principal Agreement”) under which the Processor provides certain services to the Controller.
B. In the course of providing those services, the Processor will process Personal Data on behalf of the Controller within the meaning of the UK GDPR and the Data Protection Act 2018.
C. The Parties wish to set out in this DPA the terms upon which the Processor shall process such Personal Data, in compliance with UK GDPR Article 28 and all applicable UK data protection law.
NOW, THEREFORE, in consideration of the mutual obligations set out herein, and for other good and valuable consideration, the Parties agree as follows:
1. DEFINITIONS
1.1 In this Agreement, the following terms shall have the meanings given to them in the UK GDPR and the Data Protection Act 2018:
- “Controller” means the natural or legal person which determines the purposes and means of the processing of personal data.
- “Processor” means a natural or legal person which processes personal data on behalf of the controller.
- “Personal Data” means any information relating to an identified or identifiable natural person (data subject).
- “Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation.
- “Processing” means any operation or set of operations performed on personal data.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
- “UK GDPR” means the General Data Protection Regulation as retained in UK law pursuant to the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
- “DPA 2018” means the Data Protection Act 2018.
- “ICO” means the Information Commissioner’s Office.
- “IDTA” means the International Data Transfer Agreement published by the ICO.
2. DETAILS OF PROCESSING
2.1 The Processor shall process Personal Data on behalf of the Controller in accordance with the following particulars (as required by UK GDPR Article 28(3) and Annex I):
Subject matter and purpose of processing:
[Processing Purpose]
Nature of processing operations:
[Nature of Processing]
Categories of personal data:
[Data Categories]
Categories of data subjects:
[Data Subjects]
Duration of processing / Retention period:
[Retention Period]
3. CONTROLLER’S OBLIGATIONS AND INSTRUCTIONS
3.1 The Controller shall ensure that it has a lawful basis for processing each category of Personal Data under UK GDPR Article 6 (and Article 9 for Special Category Data) before instructing the Processor to process that data.
3.2 The Controller shall provide the Processor with documented processing instructions. The Processor shall process Personal Data only in accordance with those documented instructions unless required to do so by UK law, in which case the Processor shall inform the Controller before processing, unless that law prohibits such notification.
3.3 The Controller warrants that all Personal Data provided to the Processor has been collected and transferred in compliance with UK GDPR, DPA 2018, and all other applicable data protection legislation.
4. PROCESSOR’S OBLIGATIONS (UK GDPR ARTICLE 28)
4.1 The Processor undertakes to comply with all obligations imposed on a processor under UK GDPR and the DPA 2018, including but not limited to:
- processing Personal Data only on documented instructions from the Controller (Article 28(3)(a));
- ensuring that persons authorised to process Personal Data are subject to appropriate confidentiality obligations (Article 28(3)(b));
- implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 (Article 28(3)(c));
- not engaging sub-processors without the prior written authorisation of the Controller, and imposing equivalent data protection obligations on any sub-processor by contract (Article 28(3)(d));
- assisting the Controller in fulfilling its obligations under Articles 32–36 (security, breach notification, DPIA, prior consultation) taking into account the nature of processing and the information available to the Processor (Article 28(3)(f));
- assisting the Controller in responding to requests from Data Subjects exercising their rights under Chapter III of UK GDPR, taking into account the nature of the processing (Article 28(3)(e));
- at the choice of the Controller, deleting or returning all Personal Data to the Controller after the end of the provision of services relating to processing, and deleting existing copies unless UK law requires storage of the Personal Data (Article 28(3)(g));
- making available to the Controller all information necessary to demonstrate compliance with Article 28, and allowing for and contributing to audits and inspections by the Controller or an auditor mandated by the Controller (Article 28(3)(h)).
5. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES (UK GDPR ARTICLE 32)
5.1 The Processor shall implement and maintain the following technical and organisational measures appropriate to the risk, taking into account the state of the art, cost of implementation, and the nature, scope, context, and purposes of processing, as well as the likelihood and severity of the risk to the rights and freedoms of natural persons:
[Security Measures]
5.2 The Processor shall regularly review and update these measures to ensure they remain appropriate and effective. Any material changes to security measures shall be notified to the Controller in writing.
6. SUB-PROCESSORS (UK GDPR ARTICLE 28(2))
6.1 The Controller grants the Processor authorisation to engage sub-processors subject to the following conditions: [Sub Processor Approach].
6.2 The Processor shall: (a) enter into a written contract with each sub-processor that imposes the same data protection obligations as those set out in this DPA; (b) remain fully liable to the Controller for the acts and omissions of any sub-processor as if they were the Processor’s own acts and omissions; and (c) notify the Controller of any proposed changes to sub-processors to allow the Controller to object before such changes take effect.
6.3 Approved sub-processors as at the Effective Date: [Existing Sub-Processors]
7. PERSONAL DATA BREACH NOTIFICATION
7.1 The Processor shall notify the Controller without undue delay, and in any event within [Breach Notification Period] of becoming aware of a Personal Data Breach affecting any Personal Data processed under this Agreement.
7.2 Such notification shall include, to the extent available at the time of notification: (a) a description of the nature of the Personal Data Breach; (b) the categories and approximate number of Data Subjects affected; (c) the categories and approximate number of Personal Data records affected; (d) the likely consequences of the breach; and (e) the measures taken or proposed to address the breach.
7.3 The Processor acknowledges that the Controller may be required to notify the ICO within 72 hours of becoming aware of a breach under UK GDPR Article 33, and shall cooperate fully with the Controller in meeting this obligation.
8. DATA SUBJECT RIGHTS ASSISTANCE
8.1 The Processor shall promptly notify the Controller of any requests received directly from Data Subjects exercising their rights under Chapter III of UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection) and shall not respond to such requests without the Controller’s prior written authorisation, except to acknowledge receipt.
8.2 The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests within the time limits required by UK GDPR, at the Controller’s reasonable cost.
9. DATA PROTECTION IMPACT ASSESSMENTS
9.1 The Processor shall provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) under UK GDPR Article 35 and in prior consultation with the ICO under Article 36, where the nature of the processing means such assessments are required.
10. CONFIDENTIALITY OF PROCESSING
10.1 The Processor shall ensure that only those personnel who need to access the Personal Data for the purposes of the Principal Agreement do so, and that all such personnel are subject to appropriate obligations of confidentiality, whether by contract, professional duty, or regulatory obligation.
10.2 The Processor’s personnel authorised to process Personal Data shall be made aware of the confidential nature of the Personal Data and shall sign appropriate confidentiality undertakings where not already bound by professional duty.
11. AUDIT AND INSPECTION RIGHTS
11.1 The Processor shall, on reasonable written notice of not less than [Audit Notice Period], allow the Controller (or its appointed third-party auditor, who shall not be a competitor of the Processor) to audit the Processor’s data processing activities, systems, and facilities insofar as they relate to the Personal Data processed under this Agreement.
11.2 The Processor shall provide the Controller with all information reasonably necessary to demonstrate compliance with the obligations in this DPA and shall cooperate fully with any audit. Where the Processor holds relevant certifications (such as ISO 27001) or third-party audit reports, it may provide these in lieu of a direct audit, subject to the Controller’s agreement.
12. RETURN AND DELETION OF PERSONAL DATA
12.1 Upon termination or expiry of this Agreement or the Principal Agreement (or upon the Controller’s earlier written request), the Processor shall, at the Controller’s election: (a) securely return all Personal Data (and any copies thereof) to the Controller in a structured, commonly used, and machine-readable format; or (b) securely delete or destroy all Personal Data and any copies, and provide written certification of such deletion or destruction within [Retention Period] of the relevant event.
12.2 The Processor may retain Personal Data beyond this period solely to the extent required by applicable UK law or regulatory obligation, and shall notify the Controller of any such retention, the legal basis for it, and the data concerned.
13. LIABILITY
13.1 Each Party’s liability to the other under or in connection with this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement, to the extent permitted by applicable law.
13.2 Each Party shall indemnify and hold harmless the other Party in respect of any third-party claims, fines, penalties, enforcement actions by the ICO, or compensation claims from Data Subjects arising from or in connection with that Party’s breach of its obligations under this DPA or applicable UK data protection law.
13.3 Nothing in this DPA limits or excludes either Party’s liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by law.
14. GOVERNING LAW AND JURISDICTION
14.1 This Agreement and any dispute or claim arising out of or in connection with it (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of [Governing Law Confirm].
14.2 Each Party irrevocably agrees that the courts of [Governing Law Confirm] shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter.
15. GENERAL PROVISIONS
15.1 Precedence: In the event of any conflict between this DPA and the Principal Agreement in relation to the processing of Personal Data, this DPA shall prevail.
15.2 Third Party Rights: A person who is not a party to this Agreement shall have no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.
15.3 Amendments: This Agreement may not be amended except by a written instrument signed by an authorised representative of each Party.
15.4 Severability: If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
15.5 Entire Agreement: This DPA constitutes the entire agreement between the Parties with respect to the processing of Personal Data under the Principal Agreement and supersedes all prior representations, agreements, and understandings on that subject matter.
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the Effective Date first written above.
THE CONTROLLER
Name: [Controller Name]
Address: [Controller Address], [Controller City], [Controller Postcode]
ICO Registration No.: [Controller ICO No.]
THE PROCESSOR
Name: [Processor Name]
Address: [Processor Address], [Processor City], [Processor Postcode]
Controller
________________
Signature
Date: ________________
Processor
________________
Signature
Date: ________________
What Is a Data Processing Agreement — UK GDPR (England & Wales)?
A Data Processing Agreement — UK GDPR in the United Kingdom sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, as regulated by UK General Data Protection Regulation (UK GDPR).
The DPA sets out the legal framework governing the relationship between the controller — the organisation that determines the purposes and means of processing — and the processor — the organisation that carries out the processing in accordance with the controller's instructions. Classic processor relationships include cloud hosting providers, SaaS platform operators, payroll bureaux, email marketing agencies, and any software vendor with access to customer or employee data.
Key legislation: UK GDPR (retained EU law), Data Protection Act 2018 (DPA 2018), the UK International Data Transfer Agreement (IDTA) published by the ICO for restricted international transfers, and the Privacy and Electronic Communications Regulations 2003 (PECR) for electronic marketing. The ICO enforces UK data protection law and can impose fines of up to £17.5 million or 4% of global annual turnover (the higher amount) for the most serious infringements.
The United Kingdom Data Processing Agreement — UK GDPR (England & Wales) template creates a thorough DPA that satisfies all eight mandatory requirements of Article 28(3) UK GDPR, addresses sub-processor authorisation in line with Article 28(2), includes provisions for international data transfers using the UK IDTA framework, specifies technical and organisational security measures under Article 32, sets a contractual breach notification deadline to enable the controller to meet the ICO's 72-hour reporting window under Article 33, and provides for data deletion or certified return on termination.
The legal framework governing the Data Processing Agreement — UK GDPR (England & Wales) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Data Processing Agreement — UK GDPR (England & Wales) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The UK General Data Protection Regulation (UK GDPR) sets the foundational requirements.
When Do You Need a Data Processing Agreement — UK GDPR (England & Wales)?
When engaging a cloud service provider, SaaS platform, or IT services company that will have access to your customers' or employees' personal data — for example, when moving CRM data to Salesforce, hosting employee records in an HR platform, or using a payroll bureau — because UK GDPR Article 28 makes a written DPA a legal prerequisite for any processor engagement.
When an agency, marketing firm, or analytics provider processes personal data on your behalf — such as running email campaigns using your contact list, analysing website traffic data, or processing behavioural data for targeted advertising — to confirm compliance with UK GDPR and PECR and to demonstrate accountability under Article 5(2) UK GDPR.
When sub-contracting any processing activity to a third party — for example, a software developer who has access to a production database, an accountant who processes payroll data, or a call centre that handles customer service records — because the controller remains responsible for the processor's compliance under UK GDPR.
When transferring personal data to a processor based outside the UK — particularly to the United States, India, or other countries without UK adequacy status — because the DPA must incorporate a UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs to provide adequate safeguards under Chapter V UK GDPR.
When responding to an ICO investigation, regulatory audit, or due diligence exercise in the context of a business sale or investment — because demonstrating a compliant DPA is a key element of UK GDPR accountability under Article 5(2) and Schedule 1 DPA 2018.
Without a compliant DPA, the controller and processor both risk ICO enforcement action, civil liability to data subjects under s.169 DPA 2018, and reputational damage. UK GDPR processors are also directly liable for their own breaches under Article 82(2) UK GDPR.
What to Include in Your Data Processing Agreement — UK GDPR (England & Wales)
Parties and Roles — Clear identification of the controller (including ICO registration number) and the processor (including Companies House number), their legal form and governing addresses. Establishing the correct controller/processor distinction is fundamental, as the parties bear different legal obligations under UK GDPR.
Principal Agreement Reference — The DPA should be incorporated as a schedule or addendum to the main services agreement, with the DPA prevailing in the event of any conflict on data protection matters.
Article 28(3) Processing Particulars — The mandatory schedule required by UK GDPR Article 28(3) specifying: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data; the categories of data subjects; and the controller's obligations and rights. These must be specific and not generic.
Processing on Instructions Only — The core processor obligation (Article 28(3)(a)): the processor may only process data on documented instructions from the controller, except where required to do so by UK law. This is the foundation of the controller/processor relationship.
Confidentiality of Processing — All personnel authorised to process personal data must be subject to appropriate confidentiality obligations (Article 28(3)(b)), whether contractual or arising from a professional duty.
Technical and Organisational Security Measures — A specific description of the security measures the processor will implement under Article 32 UK GDPR, appropriate to the risk and nature of the processing. This should include both technical controls (encryption, access controls, penetration testing) and organisational measures (policies, staff training, incident response procedures).
Sub-Processor Authorisation — Whether the controller grants general or specific written consent to sub-processors (Article 28(2)), the obligation to impose equivalent DPA terms on each sub-processor, and the processor's continued liability for sub-processor acts.
International Transfer Mechanism — If data is transferred outside the UK, the applicable transfer safeguard (UK adequacy regulations, UK IDTA, UK Addendum to EU SCCs, or ICO-approved binding corporate rules) must be specified, together with any Transfer Risk Assessment obligations.
Personal Data Breach Notification — The contractual notification deadline for the processor to report a breach to the controller (commonly 24–48 hours), which must be short enough for the controller to meet its 72-hour ICO notification obligation under Article 33 UK GDPR.
Data Subject Rights Assistance — The processor's obligation to promptly forward any data subject requests and to assist the controller in responding within UK GDPR time limits (one month, extendable to three months for complex requests under Article 12).
DPIA and Prior Consultation Support — The processor's duty to assist the controller with data protection impact assessments under Article 35 and prior consultation with the ICO under Article 36 where high-risk processing is involved.
Audit and Inspection Rights — The controller's right to audit the processor, subject to reasonable advance notice, to verify compliance with the DPA and UK GDPR obligations (Article 28(3)(h)).
Data Deletion or Return on Termination — The processor's obligation, at the controller's election, to securely delete or return all personal data on termination of the services, and to certify deletion in writing within the agreed period.
Governing Law and Jurisdiction — Confirmation that the DPA is governed by the laws of England and Wales, with the ICO as the competent supervisory authority for UK data protection purposes. The forms-legal.com Data Processing Agreement — UK GDPR (England & Wales) template covers the mandatory elements under UK General Data Protection Regulation (UK GDPR).
Sources & Citations
Statutory citations link to official government sources.
- GDPR Article 28EU – GDPR
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement — UK GDPR (England & Wales) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/contracts/data-processing-agreement-england-wales
"Data Processing Agreement — UK GDPR (England & Wales) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/contracts/data-processing-agreement-england-wales.
@misc{formslegal-data-processing-agreement-england-wales,
author = {{Forms Legal}},
title = {Data Processing Agreement — UK GDPR (England & Wales) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/contracts/data-processing-agreement-england-wales}},
note = {Free legal document template. Based on UK General Data Protection Regulation (UK GDPR)}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes. Under Article 28(3) of the UK GDPR (as retained in UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications Regulations 2019), processing by a processor must be governed by a binding written contract that sets out the subject matter, duration, nature, and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller. Failure to have a compliant DPA in place can result in ICO enforcement action and fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) under s.157 of the Data Protection Act 2018. Under United Kingdom law, UK General Data Protection Regulation (UK GDPR), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
The UK International Data Transfer Agreement (IDTA), published by the ICO in March 2022, is the UK equivalent of the EU Standard Contractual Clauses (SCCs). It is required when a UK controller or processor transfers personal data to a third country (outside the UK) that has not been granted UK adequacy status under s.17A of the UK GDPR. Common transfer destinations requiring the IDTA include the United States (where no adequacy decision covers all transfers), India, and China. The IDTA replaced the old EU SCCs for UK transfers following Brexit. An alternative is to use the EU SCCs with the UK Addendum. Controllers should carry out a Transfer Risk Assessment (TRA) before relying on the IDTA. Under United Kingdom law, UK General Data Protection Regulation (UK GDPR), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Under Article 28(3) UK GDPR, a DPA must include the following mandatory provisions: (1) the processor processes personal data only on documented instructions from the controller; (2) persons authorised to process data are subject to confidentiality obligations; (3) appropriate technical and organisational security measures are implemented (Article 32); (4) sub-processors are engaged only with prior controller authorisation and under equivalent DPA obligations; (5) the processor assists the controller with data subject rights requests (Chapter III UK GDPR); (6) the processor assists with security, breach notification, DPIA, and prior consultation obligations (Articles 32–36); (7) personal data is deleted or returned after the service ends; and (8) the processor provides all information to demonstrate compliance and allows for audits. Missing any of these elements risks ICO enforcement.
Under Article 33 UK GDPR, a controller must notify the Information Commissioner's Office (ICO) of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Processors must notify the controller without undue delay after becoming aware of a breach — this DPA template allows the parties to specify a shorter contractual notification period (24 or 48 hours) to give the controller sufficient time to meet its 72-hour ICO deadline. Where a breach is likely to result in a high risk to individuals, the controller must also notify the affected data subjects without undue delay under Article 34 UK GDPR. Under United Kingdom law, UK General Data Protection Regulation (UK GDPR), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Technically yes, but it is best practice to have a DPA for each principal services agreement, because the mandatory Article 28(3) particulars (processing purpose, data categories, data subjects, retention period) will differ for each engagement. If a processor serves many clients, it may use a standard DPA template that is incorporated by reference into each services agreement, with the specific processing particulars set out in a schedule. The ICO's accountability guidance recommends that controllers review and keep a record of all DPAs with processors as part of their Records of Processing Activities (ROPA) under Article 30 UK GDPR. Under United Kingdom law, UK General Data Protection Regulation (UK GDPR), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
The Information Commissioner's Office (ICO) is the UK's independent data protection regulator. Under s.108 of the Data Protection Act 2018, most organisations that process personal data as a controller must pay a data protection fee to the ICO and register their processing activities. There are exemptions for certain not-for-profit organisations, small businesses processing only staff data, and processing for purely personal purposes. Failure to register when required is a criminal offence. Processors are not required to register separately with the ICO unless they also act as controllers for other processing activities. Under United Kingdom law, UK General Data Protection Regulation (UK GDPR), parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Non-Disclosure Agreement (NDA) (UK)
Protect your confidential business information in England and Wales with a legally sound Non-Disclosure Agreement. Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted UK NDA keeps your sensitive information under strict legal protection. Our template is drafted in accordance with English common law and incorporates the key provisions required for enforceability in England and Wales.
Privacy Policy (UK)
Create a detailed UK Privacy Policy compliant with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This template covers data controller identification, ICO registration, lawful bases for processing, data subject rights, cookies under PECR, international data transfers, data retention, and breach notification. Suitable for websites, apps, and online services operating in England and Wales. Fill in your organisation's details, preview in real time, and download as PDF or Word.
Service Agreement (UK)
Create a detailed UK service agreement governed by the laws of England and Wales. Covers the Consumer Rights Act 2015, Supply of Goods and Services Act 1982, Late Payment of Commercial Debts (Interest) Act 1998, UK GDPR, IR35, VAT, intellectual property, and confidentiality. Suitable for consultants, freelancers, agencies, and businesses of all sizes.
Consultancy Agreement (UK)
Create a detailed UK Consultancy Agreement governed by the laws of England and Wales. This template covers scope of services, fees and payment in GBP, intellectual property ownership, confidentiality, data protection (UK GDPR / Data Protection Act 2018), IR35 off-payroll working status, right of substitution, non-solicitation, insurance requirements, limitation of liability, and indemnity. Suitable for limited companies, LLPs, sole traders, partnerships, and individuals. Fill out the wizard, preview in real time, and download as PDF or Word.
Employee Non-Disclosure Agreement (England & Wales)
Protect your business's confidential information and trade secrets with an Employee NDA drafted for England and Wales. Unlike a general commercial NDA, an employee-specific confidentiality agreement addresses the unique legal obligations that arise in the employment relationship — including mandatory whistleblowing carve-outs under the Public Interest Disclosure Act 1998, compliance with the Victims and Prisoners Act 2024, and alignment with the Trade Secrets (Enforcement, etc.) Regulations 2018. Our template ensures your confidential information is protected both during and after employment while fully respecting the employee's statutory rights.