Data Processing Agreement — UK GDPR (DPA 2018)
DATA PROCESSING AGREEMENT
Pursuant to Article 28 of the UK General Data Protection Regulation and the Data Protection Act 2018
PARTIES
This Data Processing Agreement ("DPA" or "Agreement") is entered into on [Agreement Date] between:
(1) [Controller Name], whose registered address is at [Controller Address], [Controller City], [Controller Postcode] (the "Controller"); and
(2) [Processor Name], whose registered address is at [Processor Address], [Processor City], [Processor Postcode] (the "Processor").
The Controller and Processor are each referred to individually as a "Party" and collectively as the "Parties".
BACKGROUND
The Parties have entered into, or are entering into, a services agreement (the "Services Agreement") under which the Processor will process personal data on behalf of the Controller. This DPA is incorporated into and forms part of the Services Agreement and governs the processing of personal data in accordance with UK data protection law, including the UK General Data Protection Regulation ("UK GDPR") as it forms part of domestic law by virtue of the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 ("DPA 2018").
1. DEFINITIONS
1.1 In this Agreement, the following terms shall have the meanings set out below. Any term not defined herein shall have the meaning given to it in the UK GDPR.
"Controller" means [Controller Name], which determines the purposes and means of the processing of personal data.
"Processor" means [Processor Name], which processes personal data on behalf of the Controller.
"Data Subject" means an identified or identifiable natural person to whom the personal data relates.
"ICO" means the Information Commissioner's Office, the UK's independent data protection authority.
"Personal Data" means any information relating to a Data Subject as further described in clause 2 of this Agreement.
"Personal Data Breach" has the meaning given in Article 4(12) of the UK GDPR, being a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
"Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health, or data concerning a person's sex life or sexual orientation.
"Sub-processor" means any third party appointed by or on behalf of the Processor to process personal data on behalf of the Controller.
"UK GDPR" means the retained EU law version of the General Data Protection Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
2. DETAILS OF PROCESSING
2.1 The following sets out the subject matter, nature, purpose, and duration of the processing, the type of personal data processed, and the categories of Data Subject:
- Subject matter: Services provided by the Processor to the Controller under the Services Agreement.
- Nature of processing: [Processing Purpose]
- Categories of personal data: [Data Types]
- Duration of processing: [Processing Duration]
3. PROCESSOR OBLIGATIONS
3.1 The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by UK law to which the Processor is subject; in such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on grounds of public interest (Article 28(3)(a) UK GDPR).
3.2 The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Article 28(3)(b) UK GDPR).
3.3 The Processor shall take all measures required pursuant to Article 32 of the UK GDPR. The technical and organisational security measures implemented by the Processor include: [Security Measures].
3.4 The Processor shall not engage another processor (Sub-processor) without the prior specific or general written authorisation of the Controller (Article 28(2) UK GDPR). Where general written authorisation is provided, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.
3.5 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the UK GDPR, taking into account the nature of the processing and the information available to the Processor.
3.6 The Processor shall, at the Controller's choice, delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless UK law requires storage of the personal data (Article 28(3)(g) UK GDPR).
3.7 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Article 28(3)(h) UK GDPR).
4. DATA SUBJECT RIGHTS
4.1 The Processor shall assist the Controller in responding to requests for exercising Data Subject rights under Chapter III of the UK GDPR (Articles 15–23), including the rights of access, rectification, erasure, restriction of processing, data portability, and to object. The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of the personal data processed under this Agreement and shall not respond to any such request without the Controller's prior written instruction.
5. PERSONAL DATA BREACHES
5.1 The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a Personal Data Breach, to enable the Controller to comply with its obligations to notify the ICO within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR. The notification shall include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of Data Subjects and personal data records concerned; (b) the name and contact details of the Processor's data protection contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach.
6. INTERNATIONAL TRANSFERS
6.1 The Processor shall not transfer personal data outside of the United Kingdom without the prior written consent of the Controller and, where such transfer is permitted, shall ensure it is subject to appropriate safeguards as required by Chapter V of the UK GDPR and any applicable UK adequacy regulations or international transfer mechanisms approved by the Secretary of State or the ICO, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses where applicable.
7. GOVERNING LAW AND JURISDICTION
7.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales. Each Party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement.
SIGNATURES
IN WITNESS WHEREOF, the Parties have executed this Data Processing Agreement as of the date first written above.
For and on behalf of the Controller:
Name of Controller: [Controller Name]
Address: [Controller Address], [Controller City], [Controller Postcode]
Authorised Signatory: ____________________________
Name: ____________________________
Title: ____________________________
Date: ____________________________
For and on behalf of the Processor:
Name of Processor: [Processor Name]
Address: [Processor Address], [Processor City], [Processor Postcode]
Authorised Signatory: ____________________________
Name: ____________________________
Title: ____________________________
Date: ____________________________
Data Controller
________________
Signature
Date: ________________
Data Processor
________________
Signature
Date: ________________
What Is a Data Processing Agreement — UK GDPR (DPA 2018)?
A Data Processing Agreement — UK GDPR (DPA 2018) in the United Kingdom sets out what each party will provide, the consideration involved, and the responsibilities they take on for the arrangement, under the framework of the Data Protection Act 2018.
Following the UK's departure from the European Union, the UK retained the EU GDPR as the foundation of its domestic data protection framework, supplemented by the Data Protection Act 2018 (DPA 2018). The UK GDPR is functionally equivalent to the EU GDPR in most respects but has been adapted for the UK domestic context, including the appointment of the Information Commissioner's Office (ICO) as the principal supervisory authority.
Under the UK GDPR, a Data Controller is the entity that determines the purposes and means of processing personal data — for example, a business that instructs a cloud software provider to store and manage its customer records. The Data Processor is the entity that processes personal data on behalf of the Controller — in this example, the cloud provider. Both the Controller and the Processor have distinct obligations under the UK GDPR, and the DPA is the mechanism through which those obligations are formally established and documented.
Our UK Data Processing Agreement template is drafted in accordance with Article 28 of the UK GDPR and the ICO's guidance on Controller-Processor relationships. It covers all mandatory elements, including the subject matter, nature, and purpose of the processing, the categories of personal data, the duration of processing, the Processor's obligations regarding security measures under Article 32, breach notification within 72 hours to the ICO, assistance with data subject rights, international transfer safeguards, sub-processor management, and audit rights.
The legal framework governing the Data Processing Agreement — UK GDPR (DPA 2018) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Data Processing Agreement — UK GDPR (DPA 2018) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2006 sets the foundational requirements.
When Do You Need a Data Processing Agreement — UK GDPR (DPA 2018)?
A Data Processing Agreement is legally required whenever a Data Controller engages a third party to process personal data on its behalf, and that third party processes the data only on the Controller's instructions. This applies across a vast range of common business relationships in the UK.
You need a DPA whenever you use a cloud computing service (such as a CRM, HR system, payroll platform, or email marketing tool) that processes your customers' or employees' personal data. Similarly, if you outsource IT support, customer service, accounting, or any other function that involves access to personal data, the provider of those services is acting as your Data Processor and a DPA is required.
The obligation also applies if you use a recruitment agency or employment business that processes personal data of job applicants on your behalf, if you engage a market research firm to process customer data for analysis, or if you use a third-party payment processor that handles personal financial information of your customers.
The consequences of failing to have a compliant DPA are significant. The ICO has the power to impose fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for serious infringements of the UK GDPR, including the failure to put appropriate contracts in place with processors. Beyond regulatory fines, the absence of a DPA exposes businesses to reputational damage, loss of customer trust, and civil claims from data subjects whose rights have been infringed.
Even where a DPA is not strictly required by law — for example, where both parties are joint controllers rather than a controller-processor relationship — it remains best practice to document the data sharing arrangement in writing to demonstrate accountability under Article 5(2) of the UK GDPR.
Parties in United Kingdom should prepare a Data Processing Agreement — UK GDPR (DPA 2018) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Processing Agreement — UK GDPR (DPA 2018)
A compliant Data Processing Agreement for UK businesses must contain several mandatory elements as prescribed by Article 28(3) of the UK GDPR, supplemented by the ICO's guidance on processor contracts.
The parties section must clearly identify the Data Controller and Data Processor by their full legal names and registered addresses. Where the controller is providing instructions to the processor, the agreement must make clear that the processor acts only on documented instructions from the controller.
The processing details section is the operational core of the agreement. It must specify: the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data being processed; and the categories of data subjects affected. This information must be sufficiently detailed to demonstrate that the processing is limited to what is necessary for the specified purpose — reflecting the data minimisation principle under Article 5(1)(c) of the UK GDPR.
The processor obligations section must cover all the mandatory requirements of Article 28(3), including: the confidentiality obligation (confirming that all authorised persons are bound by appropriate confidentiality undertakings); security measures under Article 32 (specifying the technical and organisational measures implemented by the processor); sub-processor management (requiring prior written consent before engaging sub-processors and imposing equivalent obligations on sub-processors); assistance with data subject rights; assistance with the controller's Article 32–36 obligations; deletion or return of personal data on termination; and audit rights.
The breach notification provisions are of particular importance. Under Article 33, the Controller must notify the ICO within 72 hours of becoming aware of a breach. The DPA should require the Processor to notify the Controller within 24 hours to give the Controller adequate time to comply. The notification should include a description of the breach, the categories and approximate number of affected data subjects and records, contact details of the processor's data protection point of contact, likely consequences, and measures taken or proposed.
The international transfers section addresses restrictions on transferring personal data outside the United Kingdom. Unless the destination country benefits from a UK adequacy decision, appropriate safeguards must be in place, such as the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses.
Finally, the governing law clause should specify the laws of England and Wales as the governing law and designate the courts of England and Wales as having exclusive jurisdiction, confirming that any disputes are resolved in a forum familiar with UK data protection law.
Additional compliance elements for a Data Processing Agreement — UK GDPR (DPA 2018) used in United Kingdom include: Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Processing Agreement — UK GDPR (DPA 2018) (United Kingdom) [Legal document template]. Forms Legal. https://forms-legal.com/uk/business/contracts/data-processing-agreement-uk-gdpr
"Data Processing Agreement — UK GDPR (DPA 2018) (United Kingdom)." Forms Legal, 2026, https://forms-legal.com/uk/business/contracts/data-processing-agreement-uk-gdpr.
@misc{formslegal-data-processing-agreement-uk-gdpr,
author = {{Forms Legal}},
title = {Data Processing Agreement — UK GDPR (DPA 2018) (United Kingdom)},
year = {2026},
howpublished = {\url{https://forms-legal.com/uk/business/contracts/data-processing-agreement-uk-gdpr}},
note = {Free legal document template. Based on Companies Act 2006}
}Also available for these jurisdictions:
Frequently Asked Questions
Yes. Article 28(3) of the UK General Data Protection Regulation (UK GDPR), which forms part of domestic law by virtue of the European Union (Withdrawal) Act 2018, requires that processing by a processor shall be governed by a contract or other legal act that is binding on the processor with respect to the controller. The contract must set out the subject matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects. Failure to have an appropriate DPA in place may result in enforcement action by the Information Commissioner's Office (ICO), including fines of up to £17.5 million or 4% of global annual turnover under section 157 of and Schedule 16 to the Data Protection Act 2018. Under United Kingdom law, Companies Act 2006, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Under Article 4 of the UK GDPR, a Data Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A Data Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The key distinction is decision-making authority: the Controller decides why and how data is processed, while the Processor acts only on the Controller's documented instructions. Controllers bear primary responsibility for compliance, but Processors have direct obligations under the UK GDPR, including implementing appropriate security measures under Article 32 and assisting with breach notifications under Article 33. Under United Kingdom law, Companies Act 2006, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Under Article 33 of the UK GDPR, a Data Controller must notify the ICO of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where a Processor becomes aware of a personal data breach, it must notify the Controller without undue delay under Article 33(2). This DPA requires the Processor to notify the Controller within 24 hours of becoming aware, giving the Controller adequate time to comply with the 72-hour ICO notification deadline. Where the breach is likely to result in a high risk to individuals, the Controller must also notify the affected data subjects without undue delay under Article 34. Under United Kingdom law, Companies Act 2006, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
Transfers of personal data outside the United Kingdom are regulated by Chapter V of the UK GDPR and the associated adequacy regulations made by the Secretary of State. Following the UK's departure from the EU, the UK has its own international transfer regime. Transfers may be made to countries that have received an adequacy decision from the UK Government (which include the EEA countries and certain others). Where no adequacy decision exists, appropriate safeguards must be in place, such as the UK International Data Transfer Agreement (IDTA) published by the ICO in 2022, or the UK Addendum to the EU Standard Contractual Clauses. This DPA requires the Processor to obtain the Controller's prior written consent before making any international transfer. Under United Kingdom law, Companies Act 2006, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
No. Article 28(2) of the UK GDPR provides that a processor shall not engage another processor without prior specific or general written authorisation of the controller. Where general written authorisation is granted, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object to such changes. Sub-processors must be subject to the same data protection obligations as those imposed on the Processor under the DPA. If a sub-processor fails to fulfil its data protection obligations, the Processor remains fully liable to the Controller for the performance of the sub-processor's obligations. Under United Kingdom law, Companies Act 2006, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Processing Agreement — UK GDPR (England & Wales)
Create a Data Processing Agreement (DPA) fully compliant with UK GDPR Article 28 and the Data Protection Act 2018 for England and Wales. This template covers all mandatory Article 28(3) processor obligations, ICO registration, sub-processor authorisation with prior notice, UK IDTA provisions for international transfers outside the UK, technical and organisational security measures under Article 32, personal data breach notification timelines, data subject rights assistance, DPIA support, audit rights with advance notice, and data deletion or return obligations. Includes controller ICO registration details, special category data provisions, and automatic termination with the principal services agreement. Governing law: England and Wales. Download as PDF or Word.
Privacy Policy (UK)
Create a detailed UK Privacy Policy compliant with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This template covers data controller identification, ICO registration, lawful bases for processing, data subject rights, cookies under PECR, international data transfers, data retention, and breach notification. Suitable for websites, apps, and online services operating in England and Wales. Fill in your organisation's details, preview in real time, and download as PDF or Word.
Non-Disclosure Agreement (NDA) (UK)
Protect your confidential business information in England and Wales with a legally sound Non-Disclosure Agreement. Whether you are sharing trade secrets with a prospective partner, disclosing proprietary technology to a developer, or presenting financial projections to a potential investor, a properly drafted UK NDA keeps your sensitive information under strict legal protection. Our template is drafted in accordance with English common law and incorporates the key provisions required for enforceability in England and Wales.
Service Agreement (UK)
Create a detailed UK service agreement governed by the laws of England and Wales. Covers the Consumer Rights Act 2015, Supply of Goods and Services Act 1982, Late Payment of Commercial Debts (Interest) Act 1998, UK GDPR, IR35, VAT, intellectual property, and confidentiality. Suitable for consultants, freelancers, agencies, and businesses of all sizes.
GDPR Data Breach Notification Form (England & Wales)
Create a detailed UK GDPR Data Breach Notification Form compliant with Articles 33 and 34 of the UK General Data Protection Regulation and Section 108 of the Data Protection Act 2018. This template covers mandatory ICO notification within the 72-hour window, data subject communication obligations, breach classification (confidentiality, integrity, availability), categories of personal data affected, scale assessment, risk evaluation, remediation measures, and cross-border supervisory authority notifications under the NIS Regulations 2018. Suitable for data controllers of all sizes operating in England and Wales. Download as PDF or Word.