What is a Data Processing Agreement?
This document is GDPR compliant.
When should I use a Data Processing Agreement?
- when there is an existing Services agreement (known as the ‘main’ or ‘master’ services agreement) between:
- a data controller (ie the party who decides on the purposes for and means of processing personal data), referred to as the ‘customer’, and
- a data processor (ie the party that carries out the instructions of the data controller and processes relevant personal data), referred to as the ‘supplier’
- when the supplier is processing personal data to supply services under the main services agreement, or as instructed by the customer
- to set out how personal data will be processed
- if you are based in the UK
- if personal data belonging to UK and/or EU data subjects (ie the individuals the data relates to) is being processed
DATA PROCESSING AGREEMENT
This Data Processing Agreement (DPA) is made on the date of last signature below between:
(each a party and together the parties)
- The Supplier is a provider of (Services).
- The parties entered into an agreement for the provision of services on (Agreement).
- The parties have agreed to enter into this DPA in relation to the processing of personal data by the Supplier in the course of providing the Services. The terms of this DPA are intended to apply in addition to and not in substitution of the terms of the Agreement.
- In this DPA, the following words are defined:
any entity that directly or indirectly controls, or is controlled by, or is under common control with the subject entity. 'Control' for the purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Data Protection Law
all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom applicable to the Processing of Personal Data under the Agreement, including, but not limited to EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; and
to the extent applicable, the data protection or privacy laws of any other country.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the EU GDPR); and
the EU GDPR as implemented or adopted under the laws of the United Kingdom (UK GDPR) (General Data Protection Regulation).
in relation to a party, those of its employees, workers, agents, consultants, contractors, sub-contractors, representatives or other persons employed or engaged by that party on whatever terms.
any entity (whether or not an Affiliate of the Supplier, but excluding the Supplier’s Personnel) appointed by or on behalf of the Supplier to process Personal Data on behalf of the Customer under this DPA.
any day, other than a Saturday, Sunday, or public holiday in England and Wales.
- Terms such as “Data Subject”, “Processing”, “Personal Data”, “Controller”, and “Processor”, "Supervisory Authority" and "Personal Data Breach" shall have the same meaning as ascribed to them in the Data Protection Law.
- In this DPA unless the context requires a different interpretation:
- the singular includes the plural and vice versa;
- references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this DPA;
- a reference to a person includes firms, companies, government entities, trusts ad partnerships;
- 'including' is understood to mean 'including without limitation';
- reference to any statutory provision includes any modification or amendment of it;
- the headings and sub-headings do not form part of this DPA; and
- 'writing' or 'written' will include fax and email unless otherwise stated.
Processing Customer Personal Data
- For the purpose of Data Protection Law, the Customer shall be the Controller and the Supplier shall be the Processor.
- The Supplier and each Supplier Affiliate shall:
- comply with all applicable Data Protection Law in the Processing of Customer Personal Data; and
- only Process Personal Data on the Customer's documented instructions, unless Processing is required by any applicable law to which the Supplier is subject (in which case, the Supplier shall, to the extent permitted by applicable law, inform the Customer of such legal requirement before undertaking the Processing).
- The Supplier and each Supplier Affiliate shall take reasonable steps to ensure the reliability of Personnel who have access to the Personal Data, ensuring in each case that such Personnel is subject to a strict duty of confidentiality (whether a contractual or statutory duty) and that they Process the Personal Data in compliance with all applicable law and only for the purpose of delivering the Services under the Agreement.
- The Supplier will establish data security in relation to the Processing of Personal Data under this DPA. The measures to be taken must guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of the Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons must be taken into account. Such measures may include, as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- In assessing the appropriate level of security, the Supplier shall take into account any risks that are presented by the Processing, in particular, from a Personal Data Breach.
- The Supplier has laid down the technical and organisational measures in Schedule 2 of this DPA. Technical and organisational measures are subject to technical progress and further development. In this respect, the Processor may implement alternative adequate measures from time to time and shall notify the Customer in writing where it has done so.
- The Customer authorises the Supplier and each Supplier Affiliate to appoint the Sub-processors listed in Schedule 3 (if any) and any new Sub-processors in accordance with the subsequent provisions.
- With respect to each Sub-processor, the Supplier, or the Supplier Affiliate shall:
- carry out appropriate due diligence prior to the Processing by such Sub-processor to ensure that the Sub-processor is capable of providing the level of protection for Personal Data required by the terms of the Agreement and this DPA;
- enter into a written agreement with the Sub-processor incorporating terms which are substantially similar (and no less onerous) than those set out in this DPA and which meet the requirements of Article 28(3) of UK GDPR; and
- remain fully liable to the Customer for all acts or omissions of such Sub-processor as though they were its own.
- The Supplier and each Supplier Affiliate may continue to use Sub-processors already engaged by the Supplier or Supplier Affiliate as at the date of this DPA subject to the Supplier or Supplier Affiliate meeting the obligations set forth in the preceding clause as soon as reasonably practicable.
- The Supplier shall give the Customer prior written notice of the appointment of any new Sub-processor, including the name of the Sub-processor it seeks to appoint and the Processing activity to be undertaken by the Sub-processor.
- If within 30 days of receipt of notice under the preceding clause, the Customer (acting reasonably and in good faith) notifies the Supplier in writing of any objections to the proposed appointment:
- the parties will work in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of the proposed Sub-processor without unreasonably burdening the Customer; and
- where such a change cannot be made within 30 days of the Supplier's receipt of the Customer's notice, the Customer may, notwithstanding the terms of the Agreement, serve written notice on the Supplier to terminate the to the extent that the provision of the Services is or would be affected by the appointment.
Data Subject Rights
- Taking into account the nature of the Processing, the Supplier and each Supplier Affiliate shall assist the Customer in implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising Data Subjects' rights under the Data Protection Law.
- The Supplier shall:
- promptly (and in any event, within 24 hours) notify the Customer if it (or any of its Sub-processors) receives a request from a Data Subject; and
- fully cooperate with and assist the Customer in relation to any request made by a Data Subject,
under the Data Protection Law in respect of Personal Data Processed by the Supplier under the terms of the Agreement or this DPA.
Personal Data Breaches
- The Supplier shall:
- notify the Customer without undue delay (in any event, no later than 72 hours) upon becoming aware of any Personal Data Breach affecting the Personal Data Processed by the Supplier under this DPA;
- provide sufficient information to enable the Customer to evaluate the impact of such Personal Data Breach and to meet any obligations on the Customer to report the Personal Data Breach to a Supervisory Authority and/or notify the affected Data Subjects in accordance with the Data Protection Law;
- provide the Customer with such assistance as the Customer may reasonably request; and
- cooperate with the Customer and take such reasonable commercial steps (as directed by the Customer) to assist in the evaluation, investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
- The Supplier and each Supplier Affiliate shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent authorities which the Customer considers necessary pursuant to Articles 35 and 36 of the UK GDPR.
- Such assistance from the Supplier shall be limited, in each case, to the Processing of Personal Data under this DPA.
Return and Deletion of Personal Data
- Subject to the subsequent clause, the Supplier and each Supplier Affiliate shall promptly and in any event, within 30 days of the expiry or termination of the Agreement, delete or return all copies Personal Data Processed by the Supplier and/or its Sub-processors on behalf of the Customer by such means as the parties shall agree in writing.
- The Supplier (and its Sub-processors) may retain Personal Data Processed under this DPA to the extent required by any applicable law to which the Supplier (or any Sub-processor) is subject and only to the extent and for such period as required by applicable law. Where applicable, the Supplier shall notify the Customer of any such requirement and ensure the confidentiality of such Personal Data. Any Personal Data Processed under this DPA and retained by the Supplier (or any Sub-processor) in accordance with this clause shall be not Processed for any other purpose other than the purpose specified in the applicable laws.
- The Customer may require the Supplier to provide written certification confirming that it has complied in full with its obligations under this section entitled 'Return and deletion of personal data.'
- The Supplier and each Supplier Affiliate shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA.
- The Supplier shall allow for and contribute to audits, including inspections, by the Customer (or any other auditor mandated by the Customer) in relation to the Processing of Personal Data under this DPA.
- The Customer (or any other auditor mandated by the Customer) shall give the Supplier or Supplier Affiliate reasonable notice of any audit or inspection, and shall make all reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier or Supplier Affiliate's premises, equipment, personnel and business in the course of the audit or inspection.
- Such audit rights may be exercised only once in any calendar year during the term of the Agreement and for a period of 3 years following the expiry or termination of the Agreement.
- Nothing in this DPA limits or excludes either party's liability for death of personal injury caused by its negligence, or fraud or fraudulent misrepresentation.
- Subject to the preceding clause, the total liability of either party to the other for any non-compliance with this DPA shall be subject to any limitation regarding monetary damages set forth in the Agreement.
- Except in respect of any provision of this DPA that expressly or by implication is intended to come into or continue in force on or after the expiry or termination of the Agreement, this DPA shall be coterminous with the Agreement.
- No party may assign, transfer or sub-contract to any third party the benefit and/or burden of the DPA without the prior written consent (not to be unreasonably withheld) of the other party.
- No variation of the DPA will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.
- No variation of the Agreement will be valid or binding unless it is recorded in writing and signed by or on behalf of both parties.
- The Contracts (Rights of Third Parties) Act 1999 does not apply to the DPA and no third party has any right to enforce or rely on any provision of the DPA.
- Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
- If any court or competent authority finds that any provision (or part) of the DPA is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of the DPA will not be affected.
- Any notice (other than in legal proceedings) to be delivered under the DPA must be in writing and delivered by pre-paid first class post to or left by hand delivery at the other party’s registered address or place of business, or sent by fax to its main fax number. Notices:
- sent by post will be deemed to have been received, where posted from and to addresses in the United Kingdom, on the second Working Day and, where posted from or to addresses outside the United Kingdom, on the tenth Working Day following the date of posting;
- delivered by hand will be deemed to have been received at the time the notice is left at the proper address; and
- sent by fax will be deemed to have been received on the next Working Day after transmission.
Governing Law and Jurisdiction
- This DPA will be governed by and interpreted according to the law of England and Wales and all disputes arising under the DPA (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the English and Welsh courts.
The parties have signed this DPA the date(s) below:
Schedule 1 - Processing Activities
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) UK GDPR. The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Personal Data
The Supplier will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by the Customer in its use of the Services.
The types of Personal Data to be Processed
The Customer may submit Personal Data to the Services, the extent of which, is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following types of Personal Data:
The categories of Data Subject to whom the Personal Data relates
The Customer may submit Personal Data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of the Customer (and any Customer Affiliates) are set out in the Agreement and this DPA.
Schedule 2 - Technical and Organisational Measures
The Supplier will conduct the activities covered by this DPA in compliance with relevant data protection policies and guidance, available from the Data Protection Officer or another person responsible for data protection compliance
Schedule 3 - Sub-Processors
The Customer agrees that the Supplier may sub-contract certain obligations under this DPA to the following Sub-processors:
Name of Sub-processor:
- Contact details:
- Email address:
- Telephone number:
- Sub-contracted activities:
About Data Processing Agreements
Learn more about making your Data Processing Agreement
How to make a Data Processing Agreement
Making your Data Processing Agreement online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all of the information about the service relationship and data processing prepared in advance, creating your document is a quick and easy process.
You’ll need the following information:
The supplier and the customer
Who is the supplier’s signatory? This is the person who will sign the Agreement on the supplier’s behalf.
Who is the customer’s signatory? This is the person who will sign the Agreement on the customer’s behalf.
The master services agreement
What is the date of the master services agreement?
What services are being provided under the master services agreement?
The personal data
Which types of personal data will be processed? For example, personal details? Education and training details? Financial information?
Who are the data subjects (ie the people to which the data relates)? For example, the customer’s staff or clients?
Will any data be transferred outside of the EEA? If so:
Does the data relate to people in the UK only? If so, will it be transferred using the IDTA or the old EU SCCs?
Or, does the data relate to people in the UK and the EU?
Does the supplier have an Information security policy in place? If so, is it available online?
Are any other relevant data protection policies or sets of guidance available online?
Does the supplier have security measures in place to protect the data? If so, what are they?
Are any sub-processors currently engaged by the supplier? If so, you must provide their names, email addresses, and phone numbers, and details of the activities they’re sub-contracted to perform.
If the customer objects to a sub-processor’s appointment, can they end the whole master services agreement or just a specific order made under it?
If only a specific order, will the supplier refund any fees already paid for a cancelled order?
Common terms in a Data Processing Agreement
Data Processing Agreements set out the terms on which a supplier will process personal data for a customer. To do this, this Data Processing Agreement template includes sections headed:
The Agreement starts by clearly setting out who the supplier and the customer are (ie the parties to the Agreement).
This section provides basic information about the service relationship, including the type of services the supplier provides and the date of the master services agreement. It explains how the DPA applies to the master services agreement.
This definition table assigns specific meanings to key terms used throughout the Agreement. When these terms (eg ‘Addendum’ or ‘Sub-processor’) are used capitalised throughout the Agreement, they carry the meaning they’re given in this table.
Processing customer personal data
This section sets out basic rules for how the supplier will process the customer’s personal data. For example, generally only in accordance with the customer’s documented instructions.
This section provides details of how the supplier is agreeing to ensure the security of the customer’s data when it is being processed. It sets out the requirement for security measures proportionate to factors including the risks involved in the processing, gives examples of security measures (eg data encryption), and explains what they should cover. The section also refers to the supplier’s organisational and technical security measures, which are listed in Schedule 2 of the DPA.
This section sets out the rules and procedures that must be followed when new sub-processors are appointed. For example, checks must be made to ensure that the sub-processor is appropriate, and the customer must be told about the new appointment and given an opportunity to object. The section also explains what happens if the customer does object and no resolution can be reached (eg either the master services agreement or a specific order under it may be ended).
Data subject rights
This section explains how the supplier and customer must work together to help fulfil data protection requests to uphold data subjects’ data protection rights.
Personal data breaches
The supplier’s obligations to the customer in the instance of a data breach are set out here. For example, the supplier must notify the customer of any breaches without undue delay and must provide the customer with any relevant assistance that they reasonably request.
Data protection impact assessment and prior consultation
This section explains the supplier’s obligation to help the customer, to a reasonable extent, with any data protection impact assessments (DPIAs) they’re required to carry out or with any relevant consultations.
Return and deletion of personal data
This section sets out when and how the supplier should delete or return to the customer any personal data, and copies of it, after the end of the master services agreement or when appropriate.
This section sets out how the supplier should facilitate audits by the customer for the purpose of checking that the supplier is compliant with this DPA. The terms require that the customer gives the supplier reasonable notice of such inspections and that they only perform inspections a maximum of one time per calendar year.
If personal data will be transferred outside of the EEA, this section will be included in the DPA. It explains what a restricted transfer is and requires that the supplier and relevant sub-processors enter into appropriate agreements (eg IDTAs) to safeguard any restricted transfers that are made.
Liability and indemnity
If you indicate that both parties are providing an indemnity, this section sets out the indemnity that they’re providing each other with against losses or similar due to any breaches of their obligations under the DPA.
The section also sets out instances in which liability cannot be limited (eg if one party causes the other death or personal injury by their negligence).
This section deals with various other points of law that govern how this Agreement operates. For example:
explaining that the DPA will end when the master services agreement ends, except for any specific provisions that are intended to continue
restricting how the parties can deal with the Agreement (eg preventing them from assigning their rights or obligations under the Agreement to others without the other party’s permission)
requiring that any variations to the Agreement must be made in writing and signed
excluding the Contracts (Rights of Third Parties) Act 1999 or the Contract (Third Party Rights) (Scotland) Act 2017. This essentially means that third parties (ie not the supplier or the customer) that would otherwise be able to enforce obligations under this Agreement under the Act cannot do so
setting out how any notices or other similar communications that must be given under the Agreement should be delivered
Governing law and jurisdiction
This section sets out which country’s legal system must be used to resolve any disputes. This is the Agreement’s jurisdiction. This is necessary as the legal systems of England and Wales and of Scotland are different.
The body of the Agreement is followed by spaces for both parties’ signatories to sign the DPA to make it legally binding.
Schedule 1 - Processing activities
This schedule sets out certain details about the personal data to be processed and the processing, in compliance with the GDPR. For example, the types of personal data being collected and the categories of data subjects that it relates to are set out.
Schedule 2 - Technical and organisational measures
This schedule provides details of the supplier’s information and data security practices. It refers to any relevant data protection policies (eg an information security policy) and sets out which security measures are in place.
Schedule 3 - Sub-processors
If any relevant sub-processors are currently engaged by the supplier, their details are set out here.
If you want your DPA to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified Data Processing Agreement complies with all relevant laws and meets your specific needs. Use Rocket Lawyer’s Ask a lawyer service for assistance.
Legal tips for customers and suppliers
Ensure your master services agreement is appropriate
This DPA is not intended as a standalone contract but as a supplement to a master services agreement. It’s important that your master services agreement itself is compliant with the law, to ensure that your DPA is also valid and appropriate. If you’re unsure how to create a master services agreement, or if you’re not sure if yours is legally valid, you can Ask a lawyer for assistance.
Create data protection policies to help your organisation with data protection compliance
This DPA contains commitments that will help you to keep personal data safe when a supplier is processing it on a customer’s behalf. Setting out these commitments and practices is only one aspect of data protection compliance. It’s important that all organisations follow good data protection practices in all areas of their operations. Having various data protection policies in place can help you to do this. You should consider making:
a data retention policy - setting out what data should be stored or archived, where this should happen, and for how long
an Information security policy - outlining security and other related matters (eg how access to equipment will be secured, business continuity arrangements, and how personal data can be protected and recovered)
a privacy notice - informing data subjects about the ‘what, how, where, why and when?’ of how you process their personal data
Make sure you comply with data protection law in practice
Having the right contracts, policies, and other documents in place is important, but this won’t in itself enable your organisation to comply with data protection law. You must make sure that you actually carry out the practices you’ve committed to in your data protection documents, like DPAs. For example, processors must make sure they follow a customer’s instructions when processing their data and that they maintain their specified security measures.
Understand when to seek advice from a lawyer
In some circumstances, it’s good practice to Ask a lawyer for advice to ensure that you’re complying with the law and that you are well protected from risks. You should consider asking for advice if:
this document doesn’t meet your specific needs
the supplier processes the data for reasons other than to supply services under the main services agreement or as instructed by the customer
you require bespoke policies drafted
Data Processing Agreement FAQs
What is included in a Data Processing Agreement?
This DPA template covers:
who the parties (ie the supplier and the customer) are
the services being provided under the master services agreement
details of the master services agreement
the types of personal data being processed
how data will be processed (eg the scope and purpose for processing)
who the data subjects are
details of any sub-processors
security measures used to protect the personal data
Why do I need a Data Processing Agreement?
The UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 require data controllers to take measures to ensure the protection of any personal data that they process. Using DPAs is an excellent way of meeting this key GDPR compliance requirement, as doing so clearly sets out technical requirements for the supplier and customer to follow to protect personal data when the supplier is processing the customer’s it.
Whenever a data controller wishes to outsource data processing to a third party, they should enter into a DPA with the third party to ensure the safety of the personal data. For more information, read Data processing agreements.
How are services agreements and DPAs connected?
A DPA supplements a master services agreement (eg a Services agreement). While the master services agreement sets out the terms agreed between the parties for the provision of services, the Data Processing Agreement specifically deals with how personal data will be processed under the master agreement. For more information, read Data processing agreements.
What are restricted transfers?
Transfers to ‘third countries’ (ie countries other than the UK) are known as ‘restricted transfers’. It is prohibited to transfer personal data to third countries unless one of the appropriate safeguards is in place. For example, standard contractual clauses (SCCs) or an adequacy regulation. Safeguards are often incorporated into (ie legally linked to) the DPA.
Under this DPA, personal data belonging to UK data subjects only can be transferred under:
the IDTA, for contracts entered into after 21 September 2022
Anyone relying on the old EU SCCs to transfer data out of the UK must update their agreements no later than 21 March 2024 to use the new EU SCCs in conjunction with the Addendum, or the IDTA.
What are sub-processors?
Sub-processors are any data processors engaged by the supplier. A sub-processor undertakes processing activities on behalf of the supplier. Examples of sub-contracted activities include:
processing personal data on the supplier's behalf
storing personal data (eg in cloud-based storage systems) for the supplier
The supplier can only appoint a sub-processor if the customer consents.
Can the customer object to a sub-processor?
Whenever a sub-processor is to be appointed, the customer must be informed and provided with relevant information (eg who the sup-processor is and what processing they will undertake). The customer then has 30 days to object to the appointment.
If the customer objects to the appointment of a sub-processor, the supplier and customer should work together to make commercially reasonable changes to the provision of the services in order to avoid the use of the sub-processor. If an agreement cannot be reached within 30 days, the customer is allowed to end:
the specific order in question (ie a specific order under the master services agreement, leaving the master services agreement in place), or
if allowed under the DPA, the entire master services agreement
What are security measures?
Security measures are procedures or similar that prevent personal data from being accidentally or deliberately compromised. Anyone processing personal data must have security measures in place to protect their data. Examples of security measures include:
appointing a data protection officer (DPO) - this is an employee responsible for ensuring data protection compliance
having an Information security policy in place - setting out security measures and related matters (eg rules on access to equipment for anyone outside the business)
If you have any existing security pages and/or policies in place, these can be inserted or linked to in the DPA.