Profile information Account settings
Logout
Sign up Log in

MAKE YOUR FREE Data processing agreement

  • Make your document in minutes
  • Access from any device
  • Securely sign online
Make document

How to make a Data processing agreement

Use a data processing agreement to supplement a master services agreement by setting out the particulars of how personal data will be processed (eg the scope and purpose for processing).

This document is GDPR compliant.

Recently reviewed by Lauren Delin, Solicitor. 

This data processing agreement was last reviewed on 30 March 2022.

A data processing agreement (DPA) is an agreement between a data controller (ie the party that decided on the purposes for and means of processing personal data), referred to as the ‘customer’, and a data processor (ie the party that carries out the instructions of the data controller in its processing of personal data, like a third-party service provider), referred to as the ‘supplier’. A DPA sets out how personal data (eg names and addresses) is to be processed (eg collected or stored). For more information, read Data protection.

Use this DPA:

  • to supplement an existing Services agreement (known as the ‘main services agreement’)
  • where the supplier is processing the personal data:
    • to supply services under the main services agreement, or 
    • as instructed by the customer
  • to set out how personal data will be processed 
  • if you are based in the UK
  • if personal data belonging to UK and/or EU data subjects (ie the individuals the data relates to) is being processed

This data processing agreement template covers:

  • who the parties are
  • the services provided
  • details of the master services agreement
  • the types of personal data being processed
  • the data subjects
  • sub-processors
  • security measures to protect the personal data

The UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 require data controllers to take measures to ensure the protection of any personal data they process. Having in place a DPA is a key component of GDPR compliance as it sets out technical requirements for the supplier and customer to follow when processing personal data. 

Whenever a data controller wishes to outsource data processing to a third party, they need to enter into a DPA with the third party to ensure the safety of the personal data. For more information, read Data processing agreements.

A DPA​ supplements a master services agreement (eg the Services agreement). While the master services agreement sets out the terms agreed between the parties for the provision of services, the data processing agreement specifically deals with the processing of personal data. For more information, read Data processing agreements.

When completing the DPA, certain information from the master services agreement will be needed. This includes:

  • the name and address of the supplier and customer
  • the date the master services agreement was entered into
  • the services the supplier is providing to the customer under the main services agreement

Transfers to ‘third countries’ (ie countries outside the UK) are known as ‘restricted transfers’. It’s prohibited to transfer personal data to third countries unless safeguards (eg standard contractual clauses (SCCs)) are put in place. This will often involve incorporating the safeguards into the DPA. 

Personal data can be transferred outside the European Economic Area (EEA) (eg to the United States of America), provided that such safeguards are in place.

Under this DPA, personal data belonging to both UK and EU data subjects can be transferred under the ‘new’ EU SCCs and the International Data Transfer Addendum.

Under this DPA, personal data belonging to UK data subjects only can be transferred under:

Anyone relying on the 'old' EU SCCs must update their agreements no later than 21 March 2024 and use the IDTA.

For more information, read International transfers of personal data and Standard contractual clauses.

Sub-processors are any data processors engaged by the supplier. The sub-processor undertakes processing activities on behalf of the supplier. Examples of such sub-contracted activities include:

  • processing personal data on the supplier's behalf

  • storing personal data (eg in cloud-based storage systems) for the supplier

The supplier can only appoint a sub-processor if the customer consents. 

For more information, read Subcontracting work and Data processing agreements.

Whenever a sub-processor is to be appointed, the customer must be informed and provided with relevant information (eg who the sup-processor is and what processing they will undertake). The customer then has 30 days to object to the appointment.

If the customer objects to the appointment of a sub-processor, the supplier and customer should work together to make commercially reasonable changes to the provision of the services, which avoids the use of the sub-processor. If an agreement cannot be reached within 30 days, the customer is allowed to end: 

  • the entire master services agreement
  • the specific order in question (ie an order under the master services agreement, leaving the master services agreement in place)

Anyone processing personal data must have security measures in place to prevent personal data from being accidentally or deliberately compromised. Examples of security measures include:

  • appointing a data protection officer (DPO) - this is an employee responsible for ensuring data protection compliance
  • having in place an information security policy - setting out security and related matters (eg access to equipment for anyone outside the business)
  • having in place relevant data protection policies - including a data retention policy (setting out how long data will be stored and how data will be disposed of), privacy notices (setting out the 'what, how, where, why and when' of data processing) and Privacy policy (informing website users about the proposed processing of their personal data)

If you have any existing security pages and/or policies in place, these can be inserted or linked to in the DPA.

If you require bespoke policies drafted, Ask a lawyer for assistance. For more information, read Data protection principles.

Ask a lawyer if:

  • this document doesn’t meet your specific needs

  • the supplier processes the data for reasons other than to supply services under the main services agreement or as instructed by the customer

  • if you require bespoke policies drafted

This DPA is governed by the laws of England and Wales or the law of Scotland.

Other names for Data processing agreement

DPA, Data processing addendum, GDPR data processing agreement, Data protection addendum.