UK Data Processing Agreement Clause Types
Clause Name | Purpose | Main Party Affected | Compliance Importance | Drafting Notes |
|---|---|---|---|---|
Core Article 28 Requirement | ||||
Processing On Documented Instructions | Requires the processor to process personal data only on the controller's documented instructions. | Processor | High | Define instructions, change control, unlawful instruction escalation, and who may issue instructions. |
Subject Matter And Duration Of Processing | Records what processing is performed and how long it will continue. | Both Parties | High | Usually placed in a schedule align with the service description and retention period. |
Nature And Purpose Of Processing | Describes why and how the processor handles the personal data. | Both Parties | High | Avoid vague labels specify hosting, support, analytics, payroll, CRM, or other activities. |
Types Of Personal Data | Lists the kinds of personal data processed under the agreement. | Both Parties | High | Identify special category, criminal offence, children's, financial, and credentials data separately. |
Categories Of Data Subjects | Identifies whose personal data is processed. | Data Subject | High | Common groups include customers, employees, suppliers, users, patients, students, and prospects. |
Processor Personnel Confidentiality | Ensures personnel processing data are bound by confidentiality duties. | Processor | High | Cover employees, contractors, temporary staff, and support personnel with data access. |
Operational Safeguard | ||||
Technical And Organisational Security Measures | Requires appropriate safeguards to protect personal data against security risks. | Processor | High | Use a detailed security schedule covering encryption, access controls, logging, backups, and resilience. |
Core Article 28 Requirement | ||||
Sub-processor Authorisation | Controls whether and how the processor may appoint sub-processors. | Sub-processor | High | Choose specific approval or general approval with prior notice and objection rights. |
Sub-processor Flow-down Obligations | Requires sub-processors to accept equivalent data protection obligations. | Sub-processor | High | State the processor remains liable for sub-processor performance unless agreed otherwise. |
Assistance With Data Subject Rights | Requires the processor to help the controller respond to rights requests. | Data Subject | High | Set response times, request routing, search support, and cost recovery rules. |
Processor Personal Data Breach Notification | Requires the processor to notify the controller after becoming aware of a breach. | Processor | High | Specify prompt notice, required details, updates, cooperation, and incident contacts. |
Operational Safeguard | ||||
Breach Investigation And Regulatory Assistance | Requires cooperation with investigation, mitigation, regulator notices, and affected individual notices. | Both Parties | High | Address forensic access, evidence preservation, communications control, and remediation plans. |
Core Article 28 Requirement | ||||
DPIA And Prior Consultation Assistance | Requires help with DPIAs and regulator consultation where processing creates high risk. | Controller | High | Set scope, technical input, timelines, and whether extra assistance is chargeable. |
Termination and Exit | ||||
Deletion Or Return Of Personal Data | Requires data to be returned or deleted after services end, unless law requires storage. | Processor | High | Define export format, deletion deadlines, backup deletion, certification, and legal retention exceptions. |
Audit and Assurance | ||||
Audit And Inspection Rights | Allows the controller to verify processor compliance with data protection obligations. | Controller | High | Balance legal access rights with notice, scope, confidentiality, frequency, and security limits. |
Provision Of Compliance Information | Requires the processor to provide information demonstrating compliance. | Processor | High | May include policies, certifications, summaries, penetration tests, and independent audit reports. |
Core Article 28 Requirement | ||||
Notification Of Unlawful Instructions | Requires the processor to alert the controller if an instruction appears unlawful. | Both Parties | High | Clarify that the processor is not giving full legal advice to the controller. |
Operational Safeguard | ||||
Processor Compliance With UK Data Protection Law | Requires the processor to comply with applicable UK GDPR and Data Protection Act duties. | Processor | High | Avoid shifting controller-only duties to the processor unless operationally justified. |
Controller Compliance And Lawful Basis | Confirms the controller is responsible for lawful basis, transparency, and fair processing. | Controller | High | Important where the processor has no direct relationship with data subjects. |
Core Article 28 Requirement | ||||
Controller And Processor Role Allocation | States whether each party acts as controller, processor, sub-processor, or independent controller. | Both Parties | High | Do not label roles inconsistently with actual decision-making over purposes and means. |
Processing Schedule | Collects required processing details in a structured annex or table. | Both Parties | High | Include processing description, data categories, data subjects, retention, transfers, and sub-processors. |
International Transfer | ||||
Restricted International Transfers | Controls transfers of personal data outside the UK under UK GDPR transfer rules. | Both Parties | High | Identify destination countries, transfer tool, importer role, and onward transfer restrictions. |
UK International Data Transfer Agreement | Incorporates the UK IDTA for restricted transfers from the UK. | Both Parties | High | Complete tables carefully and ensure commercial terms do not conflict with the IDTA. |
UK Addendum To EU Standard Contractual Clauses | Adapts EU SCCs for use with UK restricted transfers. | Both Parties | High | Useful for combined UK and EU transfers select the correct SCC modules. |
Transfer Risk Assessment Cooperation | Requires parties to assess and document risks for restricted transfers. | Both Parties | High | Processor should provide destination, access, security, importer, and government access information. |
Adequacy Regulation Transfers | Allows transfers to countries or organisations covered by UK adequacy arrangements. | Both Parties | Medium | Reference applicable UK adequacy status and require notice if adequacy changes. |
Onward Transfer Restrictions | Prevents transferred data being passed on without an approved transfer basis. | Processor | High | Align with sub-processing, cloud hosting, support access, and SCC onward transfer terms. |
Data Location And Hosting Regions | Specifies permitted hosting locations and remote access regions. | Processor | Medium | Define whether remote support access counts as a transfer and require approval for region changes. |
Operational Safeguard | ||||
Access Controls And Least Privilege | Limits personal data access to authorised users with a business need. | Processor | High | Include role-based access, privileged account controls, approvals, and periodic reviews. |
Encryption And Pseudonymisation | Reduces risk from unauthorised disclosure or compromise of personal data. | Processor | High | Specify encryption at rest, in transit, key management, and pseudonymisation use cases. |
Logging, Monitoring And Audit Trails | Supports detection, investigation, and evidence of unauthorised access or misuse. | Processor | Medium | Define log events, retention, tamper resistance, review frequency, and customer access. |
Vulnerability Management And Patching | Requires identification and remediation of technical weaknesses affecting personal data. | Processor | High | Set severity-based patch timelines and emergency remediation obligations. |
Availability, Backup And Disaster Recovery | Maintains availability and timely restoration of personal data after incidents. | Processor | High | Include RTO, RPO, backup encryption, restoration testing, and disaster recovery testing. |
Security Testing And Penetration Testing | Verifies that systems processing personal data are resistant to known threats. | Processor | Medium | Define testing frequency, remediation reporting, customer summaries, and restrictions on customer testing. |
Secure Development And Change Management | Controls software changes that may affect personal data security or availability. | Processor | Medium | Cover code review, testing, approvals, emergency changes, and material change notice. |
Physical And Environmental Security | Protects facilities and equipment used to process personal data. | Processor | Medium | Relevant for data centres, offices, paper records, removable media, and secure disposal. |
Staff Training And Awareness | Ensures personnel understand confidentiality, security, and data protection responsibilities. | Processor | Medium | Set induction, annual refresher, phishing, secure handling, and role-specific training requirements. |
Data Minimisation And Purpose Limitation | Limits processing to data and purposes necessary for the agreed services. | Both Parties | Medium | Useful where the processor might receive excess data or use production data for support. |
Termination and Exit | ||||
Retention Periods | Defines how long personal data is kept during and after processing. | Both Parties | High | Align service retention, backups, logs, legal holds, and deletion certification. |
Operational Safeguard | ||||
Anonymisation And Aggregated Data Use | Permits or restricts conversion of personal data into non-personal aggregated data. | Processor | Medium | Define anonymisation standard, ownership, permitted analytics, and prohibition on re-identification. |
Product Improvement And Model Training Restrictions | Controls use of customer personal data for analytics, AI training, or service improvement. | Processor | High | State whether use is prohibited, controller-authorised, anonymised only, or separately controlled. |
Audit and Assurance | ||||
Records Of Processing Support | Supports maintenance of required records of processing activities. | Both Parties | Medium | Processors may need their own Article 30 records and information for controller records. |
Security Certifications And Standards | Uses recognised certifications or standards as assurance of security controls. | Processor | Medium | List relevant standards such as ISO 27001, SOC 2, Cyber Essentials, or sector standards. |
Independent Audit Reports | Allows reliance on third-party reports instead of frequent customer audits. | Both Parties | Medium | Address report type, frequency, bridge letters, confidentiality, and remediation tracking. |
Operational Safeguard | ||||
Regulator Cooperation And Notices | Requires cooperation with the ICO or other competent data protection authority. | Both Parties | Medium | Require prompt notice of regulator contact unless legally prohibited. |
International Transfer | ||||
Law Enforcement And Government Access Requests | Controls handling of official requests for access to personal data. | Processor | Medium | Include notice, legal challenge, minimisation, transparency reports, and transfer impact relevance. |
Commercial Allocation | ||||
Data Protection Indemnity | Allocates financial responsibility for losses caused by data protection breaches. | Both Parties | Medium | Define covered losses, fines, third-party claims, mitigation, and conduct of claims. |
Data Protection Liability Cap | Sets financial exposure for data protection breaches under the contract. | Both Parties | Medium | Consider super-caps for breaches, security incidents, indemnities, and regulatory fines. |
Cyber And Professional Liability Insurance | Requires insurance coverage for cyber incidents and data protection-related liabilities. | Processor | Medium | Specify policy types, limits, exclusions, evidence, notification, and continuity of cover. |
Costs Of Assistance | Allocates costs for audits, rights requests, DPIAs, breach assistance, and bespoke support. | Both Parties | Medium | Separate ordinary compliance support from exceptional, customer-caused, or out-of-scope work. |
Operational Safeguard | ||||
Material Changes To Processing | Requires notice or approval for changes affecting processing risk or compliance. | Both Parties | Medium | Cover new purposes, data types, locations, sub-processors, security architecture, and AI use. |
Core Article 28 Requirement | ||||
Sub-processor Change Notice And Objection Procedure | Gives the controller a process to object to new or replacement sub-processors. | Controller | High | Set notice period, valid objection grounds, resolution process, and termination rights. |
Approved Sub-processors List | Identifies authorised sub-processors and their processing roles. | Sub-processor | High | Include name, function, location, transfer basis, and update mechanism. |
Audit and Assurance | ||||
Audit Remediation Cooperation | Requires correction of compliance gaps found during audits or assessments. | Processor | Medium | Set remediation plans, severity levels, timelines, evidence, and escalation rights. |
Termination and Exit | ||||
Exit Assistance And Data Portability | Supports migration of personal data to the controller or replacement provider. | Controller | Medium | Specify export format, transition period, assistance fees, and continued security during exit. |
Termination For Data Protection Breach | Allows contract action where data protection failures create serious risk. | Both Parties | Medium | Include cure periods, urgent suspension, unresolved sub-processor objections, and transfer illegality. |
Survival Of Data Protection Obligations | Keeps relevant confidentiality, security, deletion, audit, and liability terms effective after termination. | Both Parties | Medium | Ensure survival lasts until all personal data is returned, deleted, or lawfully retained. |
Legal Retention Exception | Permits limited retention where UK law requires continued storage. | Processor | Medium | Require isolation, confidentiality, restricted use, and deletion when retention law no longer applies. |
Operational Safeguard | ||||
Direct Data Subject Request Handling | Requires the processor to forward data subject requests to the controller promptly. | Data Subject | High | Prohibit substantive responses unless authorised set short notification deadlines. |
Special Category Data Safeguards | Adds safeguards for sensitive personal data such as health, biometrics, or ethnicity data. | Both Parties | High | Identify Article 9 data, higher security, access limits, and controller condition responsibility. |
Criminal Offence Data Safeguards | Adds safeguards for processing criminal conviction or offence data. | Both Parties | High | Confirm authorisation basis, access restrictions, retention, and enhanced confidentiality. |
Children's Data Safeguards | Adds protections for processing children's personal data. | Data Subject | High | Consider age-appropriate design, parental controls, profiling limits, and enhanced transparency support. |
Automated Decision-making And Profiling Support | Supports compliance where processing involves profiling or automated decisions. | Data Subject | Medium | Clarify whether processor performs decisions, provides scores, or only hosts controller tools. |
Data Protection By Design And Default | Requires systems and services to support privacy-friendly configuration and minimisation. | Both Parties | Medium | Useful for SaaS, platforms, APIs, configurable retention, permissions, and privacy settings. |
Termination and Exit | ||||
Evidence Of Deletion Or Return | Provides proof that personal data was returned, deleted, or securely retained as agreed. | Controller | Medium | Use deletion certificates, export logs, backup expiry statements, and retained-data inventories. |
Commercial Allocation | ||||
Order Of Precedence For Data Protection Terms | Resolves conflicts between the DPA, main agreement, SCCs, IDTA, schedules, and policies. | Both Parties | Medium | Give mandatory transfer clauses priority where required by their terms. |
Operational Safeguard | ||||
Incorporated Security Policies | Incorporates security policies, acceptable use terms, or technical documents into the DPA. | Both Parties | Medium | Control unilateral updates and require no material reduction in protection. |
Privacy And Security Contact Points | Identifies operational contacts for instructions, breaches, audits, and rights requests. | Both Parties | Low | Use monitored addresses, escalation contacts, and emergency channels for incidents. |
Data Protection Notices And Escalation | Sets how data protection notices, approvals, objections, and escalations are given. | Both Parties | Low | Separate urgent incident notice channels from ordinary contractual notice provisions. |
Accuracy And Correction Support | Supports correction or updating of inaccurate personal data held by the processor. | Data Subject | Medium | Set mechanisms for correction, synchronisation, propagation to sub-processors, and audit trails. |
Audit and Assurance | ||||
Confidentiality Of Audit And Security Materials | Protects sensitive security documentation disclosed during due diligence or audits. | Both Parties | Low | Restrict sharing of penetration tests, SOC reports, diagrams, vulnerabilities, and remediation details. |
Audit Scope And Frequency Limits | Defines practical limits on customer audits while preserving statutory audit rights. | Both Parties | Medium | Common limits include annual audits, business hours, prior notice, no competitor auditors, and no disruption. |
Operational Safeguard | ||||
Data Segregation And Tenant Isolation | Prevents unauthorised access between customers, tenants, environments, or datasets. | Processor | High | Important for multi-tenant cloud services, shared databases, sandboxes, and test environments. |
Use Of Personal Data In Testing Environments | Restricts use of live personal data for testing, development, or troubleshooting. | Processor | Medium | Prefer synthetic or anonymised data require approval and safeguards for production data use. |
Remote Access And Support Controls | Controls support access to systems or personal data from remote locations. | Processor | High | Include MFA, just-in-time access, session logging, device security, and region controls. |
Multi-factor Authentication | Reduces risk of account compromise for systems processing personal data. | Processor | Medium | Require MFA for privileged accounts, remote access, admin consoles, and customer-facing accounts where appropriate. |
Secure Disposal Of Media And Paper Records | Ensures secure destruction of media, devices, and paper containing personal data. | Processor | Medium | Specify wiping, shredding, destruction certificates, asset tracking, and disposal vendors. |
Security Incident Management Procedure | Requires a documented process for identifying, managing, and escalating security incidents. | Processor | High | Distinguish all security incidents from personal data breaches requiring controller notice. |
Post-breach Remediation And Lessons Learned | Requires corrective action after a personal data breach or serious security incident. | Processor | Medium | Set root cause analysis, remediation deadlines, reporting, and recurrence prevention. |
Core Article 28 Requirement | ||||
Limits On Processor Decision-making | Prevents processor discretion from undermining the intended controller-processor relationship. | Processor | Medium | Allow only operational decisions needed to deliver services, not independent purposes. |
Commercial Allocation | ||||
Independent Controller Or Joint Controller Carve-outs | Separates processing that is not performed solely as processor for the controller. | Both Parties | High | Use where fraud prevention, benchmarking, account administration, or legal compliance processing has separate purposes. |
Operational Safeguard | ||||
Public Sector And FOIA Handling | Addresses information requests and confidentiality limits for UK public sector controllers. | Both Parties | Medium | Coordinate FOIA, EIR, confidentiality, security marking, and processor consultation before disclosure. |
Health Data And NHS Data Security Requirements | Adds sector controls for health, care, or NHS-related personal data processing. | Both Parties | High | Consider DSPT, clinical safety, confidentiality duties, data sharing approvals, and heightened access controls. |
Audit and Assurance | ||||
Regulated Outsourcing And Operational Resilience Support | Supports regulated controllers with outsourcing, resilience, audit, and regulator access duties. | Both Parties | Medium | Relevant for FCA, PRA, payment services, insurers, and material outsourcing arrangements. |
Operational Safeguard | ||||
Personnel Screening And Background Checks | Reduces insider risk for personnel with access to sensitive or high-risk data. | Processor | Medium | Ensure screening is lawful, proportionate, role-based, and suitable for regulated environments. |
Privileged Access Management | Controls administrator and elevated accounts that can access or alter personal data. | Processor | High | Include approval, segregation of duties, session recording, break-glass controls, and review. |
Termination and Exit | ||||
Backup Retention And Deletion Cycle | Explains how personal data in backups is retained, isolated, and eventually deleted. | Processor | Medium | State backup expiry period and prohibit restoration except for continuity or legal reasons. |
Controller Self-service Deletion Tools | Allows the controller to delete or export data through service tools. | Controller | Medium | Clarify whether self-service deletion affects backups, logs, caches, and sub-processor copies. |
Operational Safeguard | ||||
No Material Reduction In Security | Prevents the processor from weakening agreed security protections during the term. | Processor | Medium | Useful where security measures are described in online policies that may change. |
Disclosure To Third Parties | Restricts disclosure of personal data except as instructed, authorised, or legally required. | Processor | High | Coordinate with sub-processing, legal requests, professional advisers, and emergency disclosure exceptions. |
Legally Required Disclosure Notice | Requires notice before legally compelled disclosure, unless notice is prohibited. | Processor | Medium | Include minimum disclosure, legal review, and cooperation with objections or protective measures. |
Sub-processor Breach And Remediation | Requires the processor to manage sub-processor failures affecting personal data. | Sub-processor | High | Include notification, replacement, remediation, audit evidence, and processor liability. |
Audit and Assurance | ||||
Sub-processor Due Diligence | Requires assessment of sub-processors before appointment and during engagement. | Sub-processor | Medium | Check security, location, transfer basis, certifications, breach history, and contractual flow-downs. |
International Transfer | ||||
Offshore Support Access | Controls remote support access to UK personal data from outside the UK. | Processor | High | List countries, safeguards, access controls, logging, and applicable transfer mechanism. |
Operational Safeguard | ||||
Emergency Access To Personal Data | Permits limited exceptional access to protect systems, data, or service continuity. | Processor | Medium | Require logging, post-event review, notification where appropriate, and narrow purpose limits. |
Prohibited Processing Activities | Bans unauthorised sale, sharing, profiling, enrichment, scraping, or secondary use of personal data. | Processor | High | Especially important for adtech, analytics, AI, data brokers, and customer data platforms. |
Transparency Information Support | Helps the controller provide accurate privacy information about processor activities. | Controller | Medium | Processor may provide sub-processor, location, retention, security, and functionality information. |
Commercial Allocation | ||||
Controller Data Quality Responsibility | Allocates responsibility for the accuracy and legality of data supplied to the processor. | Controller | Medium | Processor should not warrant accuracy of data it merely hosts or processes on instruction. |
Breach Communications Control | Controls public, customer, regulator, and data subject communications after a breach. | Both Parties | Medium | Preserve controller notification decisions while allowing required legal or security communications. |
Governing Law And Jurisdiction For DPA | Identifies the law and courts governing contractual data protection disputes. | Both Parties | Low | For UK use, align with the main agreement and mandatory transfer clause requirements. |
Operational Safeguard | ||||
UK Representative And Establishment Information | Records UK representative details where non-UK parties are subject to UK GDPR obligations. | Both Parties | Low | Relevant for non-UK controllers or processors offering goods or monitoring people in the UK. |
Data Protection Officer Contact Details | Identifies DPO or privacy lead contacts for compliance cooperation. | Both Parties | Low | Do not state a DPO exists unless one has been formally appointed. |
Operational Logs Retention | Defines retention and use of logs that may contain personal data. | Processor | Medium | Address security logs, application logs, access logs, diagnostic logs, and masking of sensitive data. |
API And Integration Data Flows | Defines responsibilities for personal data shared through APIs or third-party integrations. | Both Parties | Medium | Clarify controller-enabled integrations, marketplace apps, credentials, scopes, and third-party terms. |
Commercial Allocation | ||||
Customer Account Administration Data | Separates administrative account data from service data processed as processor. | Both Parties | Medium | Provider may be independent controller for billing, account management, and fraud prevention data. |
Controller Instructions For Data Import And Uploads | Allocates responsibility for personal data uploaded, configured, or submitted by the controller. | Controller | Medium | Useful for SaaS tools where the processor cannot control what data the customer uploads. |
Prohibited Or Restricted Data Types | Prevents upload or processing of data types outside the service's intended risk profile. | Controller | Medium | List excluded data such as health, payment card, biometric, criminal, children's, or secrets data. |
What Clauses Should A UK Data Processing Agreement Include?
A UK data processing agreement should cover the mandatory processor terms required by UK GDPR Article 28, including documented instructions, confidentiality, security, sub-processing, data subject assistance, breach assistance, deletion or return of data, audits, and flow-down obligations. These clauses are not optional where a processor processes personal data for a controller.
Which DPA Clauses Usually Create The Most Negotiation Risk?
The clauses most often needing careful drafting are sub-processor approval, international transfers, audit rights, security measures, liability, and breach notification timing. These clauses affect operational control, regulatory exposure, and commercial risk allocation between controller and processor.
How Should UK International Transfer Clauses Be Handled?
UK DPAs should distinguish UK transfer tools from EU transfer tools. For restricted transfers from the UK, parties commonly need the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, plus a transfer risk assessment where appropriate.
Why Are Schedules Important In A Data Processing Agreement?
The DPA should not rely only on generic wording. Schedules should identify the processing subject matter, duration, nature, purpose, categories of personal data, categories of data subjects, technical and organisational measures, approved sub-processors, and transfer mechanisms. These details help show that the agreement reflects the actual processing arrangement.

FAQs
You Might Also Be Interested In



