Ask a lawyer if: this document doesn’t meet your specific needs the supplier processes the data for reasons other than to supply services under the main services agreement or as instructed by the customer if you require bespoke policies drafted This DPA is governed by the laws of England and Wales or the law of Scotland.

Free Data Processing Agreement | Template & FAQs

Q: How are services agreements and DPAs connected?

A DPA supplements a master services agreement (eg the Services agreement). While the master services agreement sets out the terms agreed between the parties for the provision of services, the data processing agreement specifically deals with the processing of personal data. For more information, read Data processing agreements.

How to make a Data processing agreement

Use a data processing agreement to supplement a master services agreement by setting out the particulars of how personal data will be processed (eg the scope and purpose for processing).

This document is GDPR compliant.

Recently reviewed by Lauren Delin, Solicitor.

This data processing agreement was last reviewed on 30 March 2022.

What is a data processing agreement?

A data processing agreement (DPA) is an agreement between a data controller (ie the party that decided on the purposes for and means of processing personal data), referred to as the ‘customer’, and a data processor (ie the party that carries out the instructions of the data controller in its processing of personal data, like a third-party service provider), referred to as the ‘supplier’. A DPA sets out how personal data (eg names and addresses) is to be processed (eg collected or stored). For more information, read Data protection.

When should I use a DPA?

Use this DPA:

to supplement an existing Services agreement (known as the ‘main services agreement’)
where the supplier is processing the personal data:
- to supply services under the main services agreement, or
- as instructed by the customer
to set out how personal data will be processed
if you are based in the UK
if personal data belonging to UK and/or EU data subjects (ie the individuals the data relates to) is being processed

What’s included in a DPA?

This data processing agreement template covers:

who the parties are
the services provided
details of the master services agreement
the types of personal data being processed
the data subjects
sub-processors
security measures to protect the personal data

Why do I need a DPA?

The UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 require data controllers to take measures to ensure the protection of any personal data they process. Having in place a DPA is a key component of GDPR compliance as it sets out technical requirements for the supplier and customer to follow when processing personal data.

Whenever a data controller wishes to outsource data processing to a third party, they need to enter into a DPA with the third party to ensure the safety of the personal data. For more information, read Data processing agreements.

How are services agreements and DPAs connected?

A DPA supplements a master services agreement (eg the Services agreement). While the master services agreement sets out the terms agreed between the parties for the provision of services, the data processing agreement specifically deals with the processing of personal data. For more information, read Data processing agreements.

What information do I need from the master services agreement?

When completing the DPA, certain information from the master services agreement will be needed. This includes:

the name and address of the supplier and customer
the date the master services agreement was entered into
the services the supplier is providing to the customer under the main services agreement

What are restricted transfers?

Transfers to ‘third countries’ (ie countries outside the UK) are known as ‘restricted transfers’. It’s prohibited to transfer personal data to third countries unless safeguards (eg standard contractual clauses (SCCs)) are put in place. This will often involve incorporating the safeguards into the DPA.

Personal data can be transferred outside the European Economic Area (EEA) (eg to the United States of America), provided that such safeguards are in place.

Under this DPA, personal data belonging to both UK and EU data subjects can be transferred under the ‘new’ EU SCCs and the International Data Transfer Addendum.

Under this DPA, personal data belonging to UK data subjects only can be transferred under:

the 'old' EU SCCs or the International Data Transfer Agreement (IDTA), for contracts entered into between 21 March and 21 September 2022
the IDTA for contracts entered into after 21 September 2022

Anyone relying on the 'old' EU SCCs must update their agreements no later than 21 March 2024 and use the IDTA.

For more information, read International transfers of personal data and Standard contractual clauses.

What are sub-processors?

Sub-processors are any data processors engaged by the supplier. The sub-processor undertakes processing activities on behalf of the supplier. Examples of such sub-contracted activities include:

processing personal data on the supplier's behalf
storing personal data (eg in cloud-based storage systems) for the supplier

The supplier can only appoint a sub-processor if the customer consents.

For more information, read Subcontracting work and Data processing agreements.

Can the customer object to a sub-processor?

Whenever a sub-processor is to be appointed, the customer must be informed and provided with relevant information (eg who the sup-processor is and what processing they will undertake). The customer then has 30 days to object to the appointment.

If the customer objects to the appointment of a sub-processor, the supplier and customer should work together to make commercially reasonable changes to the provision of the services, which avoids the use of the sub-processor. If an agreement cannot be reached within 30 days, the customer is allowed to end:

the entire master services agreement
the specific order in question (ie an order under the master services agreement, leaving the master services agreement in place)

What are security measures?

Anyone processing personal data must have security measures in place to prevent personal data from being accidentally or deliberately compromised. Examples of security measures include:

appointing a data protection officer (DPO) - this is an employee responsible for ensuring data protection compliance
having in place an Information security policy - setting out security and related matters (eg access to equipment for anyone outside the business)
having in place relevant data protection policies - including a data retention policy (setting out how long data will be stored and how data will be disposed of), privacy notices (setting out the 'what, how, where, why and when' of data processing) and Privacy policy (informing website users about the proposed processing of their personal data)

If you have any existing security pages and/or policies in place, these can be inserted or linked to in the DPA.

If you require bespoke policies drafted, Ask a lawyer for assistance. For more information, read Data protection principles.

Further advice

Ask a lawyer if:

this document doesn’t meet your specific needs
the supplier processes the data for reasons other than to supply services under the main services agreement or as instructed by the customer
if you require bespoke policies drafted

This DPA is governed by the laws of England and Wales or the law of Scotland.

MAKE YOUR FREE Data processing agreement

HOW IT WORKS