DATA PROCESSING AGREEMENT

This Agreement is made on [effectiveDate] between:

(1) [controllerName] of [controllerAddress] (the "Controller"); and

(2) [processorName] of [processorAddress] (the "Processor").

(each a "Party" and together the "Parties")

1. Background

1.1. The Parties have entered into the [mainAgreementName] (the "Main Agreement") under which the Processor processes Personal Data on behalf of the Controller.

1.2. This Agreement supplements the Main Agreement and complies with Article 28 of the UK GDPR (retained Regulation (EU) 2016/679) and the Data Protection Act 2018.

2. Definitions

2.1. Terms not defined here have the meanings given in the UK GDPR. "Personal Data", "Process", "Data Subject", "Data Protection Law", "Sub-processor", and "Personal Data Breach" have the meanings given in the UK GDPR.

3. Subject matter and details of processing (Annex 1)

3.1. Subject matter and purpose: [subjectMatter]

3.2. Duration: For the term of the Main Agreement

3.3. Categories of Personal Data: [dataCategories]

3.4. Categories of Data Subjects: [dataSubjects]

4. Processor obligations (UK GDPR Art. 28(3))

4.1. The Processor shall:

(a) process Personal Data only on documented written instructions from the Controller, including with regard to international transfers, unless required to process by UK or EU law (in which case it will inform the Controller of that requirement);

(b) ensure that persons authorised to process Personal Data are committed to confidentiality (or under statutory obligation of confidentiality);

(c) take all measures required under Article 32 UK GDPR (security of processing) — see Annex 2;

(d) respect the conditions in clause 5 below for engaging Sub-processors;

(e) taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil its obligation to respond to requests from Data Subjects under Articles 12–22 UK GDPR;

(f) assist the Controller in ensuring compliance with Articles 32 to 36 UK GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and information available to the Processor;

(g) at the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless retention is required by UK or EU law;

(h) make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (subject to reasonable confidentiality and notice).

5. Sub-processors

5.1. The Controller gives the Processor general authorisation to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Controller the opportunity to object on reasonable data-protection grounds.{{^subProcessorsAllowed}}5.1. The Processor must obtain the Controller's prior specific written authorisation before engaging any Sub-processor.{{/subProcessorsAllowed}}

5.2. Current sub-processors:

[subProcessorList]

5.3. Where the Processor engages a Sub-processor, the Processor will impose the same data-protection obligations on that Sub-processor by contract (Article 28(4) UK GDPR). The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

6. International transfers

6.1. The Processor may transfer Personal Data to a country outside the United Kingdom only if the Processor has implemented one or more of the following safeguards:

(a) the UK International Data Transfer Agreement (IDTA);

(b) the EU Standard Contractual Clauses adopted by the European Commission, supplemented by the UK Addendum;

(c) reliance on a UK adequacy decision in force at the time of the transfer (e.g. UK extension to the EU-US Data Privacy Framework); or

(d) any other transfer tool recognised under Articles 46–49 UK GDPR.

6.2. The Processor will provide the Controller with copies of executed transfer agreements on reasonable request.{{^internationalTransfers}}6.1. The Processor must not transfer Personal Data outside the United Kingdom without the Controller's prior written approval.{{/internationalTransfers}}

7. Personal Data Breach notification

7.1. The Processor shall notify the Controller of any Personal Data Breach without undue delay and within 24 hours after becoming aware of it.

7.2. The notification will, at minimum, describe:

(a) the nature of the breach (categories and approximate number of Data Subjects and records concerned);

(b) the likely consequences;

(c) the measures taken or proposed to address the breach and mitigate its effects;

(d) the contact details of the Processor's data-protection contact.

8. Data Subject rights

8.1. The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures to respond to requests under Articles 12–22 UK GDPR. Where a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller without undue delay.

9. Audits

9.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 and contribute to audits, including inspections by the Controller or its auditor, subject to:

(a) at least 30 days' written notice (except where the audit follows a Personal Data Breach);

(b) reasonable confidentiality undertakings;

(c) reasonable access charges where audits exceed once per calendar year.

9.2. The Processor may satisfy this clause by providing the Controller with a current SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party attestation.

10. Liability

10.1. Each Party's liability for breach of this Agreement is governed by the liability clause in the Main Agreement. Nothing in this Agreement excludes liability for breach of statutory obligations under Data Protection Law that cannot lawfully be excluded.

11. Term and termination

11.1. This Agreement is effective from the Effective Date and remains in force for as long as the Processor processes Personal Data on behalf of the Controller.

11.2. On termination of the Main Agreement, the Processor will, at the Controller's choice, delete or return all Personal Data within 30 days, and delete existing copies unless retention is required by law.

12. Governing law

12.1. This Agreement is governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction.

Annex 2 — Technical and organisational security measures

The Processor will implement at least the following:

- Encryption in transit (TLS 1.2 or higher) and at rest for Personal Data; - Access control with role-based access, least-privilege defaults, and at least annual access reviews; - Authentication with multi-factor authentication on administrative accounts; - Logging and monitoring of access to Personal Data with audit trails retained for ≥12 months; - Backups with at least 30-day retention and tested restore procedures; - Vulnerability management with regular patching, dependency scanning, and penetration testing at least annually; - Personnel subject to confidentiality, with security training on engagement and annually thereafter; - Incident response with documented runbooks and 24/7 contact; - Subcontractor diligence before engagement and ongoing.

Signed for and on behalf of [controllerName]:

Name: ____________________________ Position: __________________________ Date: ____________________________

Signature: _________________________

Signed for and on behalf of [processorName]:

Name: ____________________________ Position: __________________________ Date: ____________________________

Signature: _________________________

This template is provided by UKContracts.uk as a starting point only. Both parties should have it reviewed by a qualified UK solicitor.