AI Generated British Data Processing Agreement
PDF & Word - 2026 Updated

Docaro Pricing
When do you need a Data Processing Agreement in the United Kingdom?
British Legal Rules for a Data Processing Agreement
Using the wrong structure for a data processing agreement can lead to non-compliance with UK GDPR requirements and expose parties to regulatory penalties.
What a Proper Data Processing Agreement Should Include
- Parties InvolvedClearly identify the data controller (who decides how data is used) and the data processor (who handles the data on behalf of the controller).
- Data Processing DetailsSpecify the types of personal data involved, the purposes for processing, and any categories of data subjects affected.
- Processor's DutiesOutline the processor's obligations, such as processing data only as instructed and ensuring data security.
- Security MeasuresRequire the processor to implement appropriate technical and organizational safeguards to protect personal data from unauthorized access or loss.
- Sub-Processing RulesSet conditions under which the processor can appoint third parties to help with data processing, including approval requirements.
- Data Transfer LimitsDefine rules for transferring personal data outside the UK or EEA, ensuring equivalent protection levels.
- Data Subject Rights SupportMandate that the processor assists the controller in fulfilling individuals' rights, like accessing or deleting their data.
- Audit and Inspection RightsAllow the controller to audit the processor's compliance with the agreement to verify data protection practices.
- Breach NotificationRequire the processor to promptly notify the controller of any personal data breaches.
- Data Return or DeletionInstruct the processor to return or securely delete all personal data at the end of the agreement.
- Liability and IndemnityClarify each party's responsibility for losses arising from data processing activities.
- Termination and DurationState how long the agreement lasts and what happens to the data upon termination.
Generate Your Document in 4 Easy Steps
Why Use Docaro?
United KingdomFree Example Data Processing Agreement Template
Below is a free template example of a Data Processing Agreement for use in the United Kingdom generated by our AI model.
The clauses in your actual Data Processing Agreement will vary from this example as they will be entirely bespoke to your requirements as set out in the questionnaire you complete.
Data Processing Agreement between ABC Ltd and XYZ Services
1DEFINITIONS AND INTERPRETATION
In this Agreement the following terms shall have the following meanings unless the context requires otherwise.
Personal Data means any information relating to an identified or identifiable natural person (data subject) where an identifiable natural person is one who can be identified directly or indirectly in particular by reference to an identifier such as a name an identification number location data an online identifier or to one or more factors specific to the physical physiological genetic mental economic cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data whether or not by automated means such as collection recording organisation structuring storage adaptation or alteration retrieval consultation use disclosure by transmission dissemination or otherwise making available alignment or combination restriction erasure or destruction.
The Controller (ABC Ltd) is the entity that determines the purposes and means of the processing of Personal Data.
The Processor (XYZ Services) is the entity that processes Personal Data on behalf of the Controller (ABC Ltd).
Subprocessor means any third party engaged by the Processor (XYZ Services) to process Personal Data on behalf of the Controller (ABC Ltd) including but not limited to affiliates subcontractors or other service providers.
The headings in this Agreement are for ease of reference only and shall not affect its interpretation or construction.
References to clauses and schedules are to the clauses and schedules of this Agreement.
2PARTIES AND BACKGROUND
This Data Processing Agreement is made between ABC Ltd (the Controller (ABC Ltd)) and XYZ Services (the Processor (XYZ Services)).
This Agreement is made on 15 January 2024 and shall take effect from that date (the Effective Date).
The Processor (XYZ Services) will process Personal Data on behalf of the Controller (ABC Ltd) in connection with the services provided under the main services agreement between the parties dated 15 January 2024.
This Agreement supplements and forms part of the main services agreement. In the event of any conflict between this Agreement and the main services agreement the terms of this Agreement shall prevail in respect of data protection matters.
3DETAILS OF PROCESSING
The subject matter of the processing is the provision of services by the Processor (XYZ Services) to the Controller (ABC Ltd) involving the collection storage and analysis of customer Personal Data.
The nature of the processing consists of collection storage organisation structuring analysis and deletion of Personal Data.
The purpose of the processing is to provide personalised marketing recommendations customer support manage customer inquiries process orders send marketing communications generate marketing insights and reports identify customer preferences and trends and improve user experience by analysing user behaviour.
The duration of the processing shall be for the term of the main services agreement which commences on 15 January 2024 and continues for an initial term of 12 months automatically renewing for successive 12-month periods unless terminated in accordance with its terms.
The types of Personal Data to be processed are names email addresses phone numbers IP addresses purchase history and postal addresses. No special categories of Personal Data (sensitive data) or Personal Data relating to criminal convictions and offences will be processed under this Agreement. No Personal Data of children under 13 will be processed under this Agreement.
The categories of data subjects are customers website visitors employees and suppliers.
The geographic locations of processing are the United Kingdom and European Economic Area. International transfers are contemplated as set out in clause 9 and Annex 2.
4CONTROLLER OBLIGATIONS
The Controller (ABC Ltd) shall ensure that it has a lawful basis for processing the Personal Data and for providing the Personal Data to the Processor (XYZ Services) in accordance with this Agreement and UK GDPR Article 6.
The Controller (ABC Ltd) shall inform the Processor (XYZ Services) without undue delay if it becomes aware of any non-compliance with this Agreement the UK GDPR or the Data Protection Act 2018 in relation to the Personal Data.
The Controller (ABC Ltd) shall be responsible for responding to requests from data subjects exercising their rights under the UK GDPR unless otherwise agreed in writing.
The Controller (ABC Ltd) shall provide accurate up-to-date and documented instructions to the Processor (XYZ Services) regarding the processing of Personal Data.
The Controller (ABC Ltd) shall comply with its obligations under the UK GDPR and the Data Protection Act 2018 including but not limited to ensuring the accuracy of Personal Data and implementing appropriate technical and organisational measures.
5OBLIGATIONS OF THE PROCESSOR
The Processor (XYZ Services) shall process the Personal Data only on documented instructions from the Controller (ABC Ltd) (including as set out in this Agreement and Annex 4) unless required to do so by applicable law in which case the Processor (XYZ Services) shall inform the Controller (ABC Ltd) of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
The Processor (XYZ Services) shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor (XYZ Services) shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing taking into account the state of the art the costs of implementation and the nature scope context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures are set out in Annex 3.
The Processor (XYZ Services) shall maintain a record of all categories of processing activities carried out on behalf of the Controller (ABC Ltd) in accordance with Article 30(2) of the UK GDPR and shall make such records available to the Controller (ABC Ltd) on request.
The Processor (XYZ Services) shall comply with all other obligations imposed on processors under the UK GDPR and the Data Protection Act 2018.
6SUB-PROCESSORS
The Controller (ABC Ltd) provides a general written authorisation to the Processor (XYZ Services) to engage Subprocessors to process the Personal Data. A list of approved Subprocessors including their contact details is set out in Annex 1.
The Processor (XYZ Services) shall notify the Controller (ABC Ltd) in writing of any intended changes concerning the addition or replacement of Subprocessors giving the Controller (ABC Ltd) an opportunity to object to such changes within 14 days of receipt of the notice.
The Processor (XYZ Services) shall impose on each Subprocessor the same data protection obligations as set out in this Agreement. The Processor (XYZ Services) shall remain fully liable to the Controller (ABC Ltd) for the performance of each Subprocessor\’s obligations.
Geographic restrictions on where Subprocessors may process the Personal Data are set out in Annex 1 and Annex 2.
7DATA SUBJECT RIGHTS
The Processor (XYZ Services) shall notify the Controller (ABC Ltd) without undue delay upon receiving any request from a data subject in relation to the exercise of rights under the UK GDPR.
The Processor (XYZ Services) shall assist the Controller (ABC Ltd) (at the Controller (ABC Ltd)\’s cost) in ensuring compliance with the obligations relating to data subject rights under the UK GDPR including the rights of access rectification erasure restriction of processing data portability and objection.
The primary responsibility for responding to data subject requests lies with the Controller (ABC Ltd) unless otherwise agreed in writing.
The identity verification procedure set out below shall only be applied where the Processor (XYZ Services) is directly handling requests on behalf of the Controller (ABC Ltd). The Processor (XYZ Services) shall verify the data subject\’s identity by requesting a copy of a government-issued photo identification document and matching it against the details provided in the request.
8SECURITY OF PROCESSING
The Processor (XYZ Services) shall implement the technical and organisational security measures set out in Annex 3 which are appropriate to the risk.
The Processor (XYZ Services) shall impose equivalent security requirements on any Subprocessors.
The maximum retention period for which the Processor (XYZ Services) shall hold Personal Data before secure deletion is set out in Annex 4.
9DATA BREACH NOTIFICATION
The Processor (XYZ Services) shall notify the Controller (ABC Ltd) of any Personal Data breach without undue delay and in any event within 24 hours after becoming aware of it.
The Processor (XYZ Services) may notify the competent authority (such as the Information Commissioner\’s Office) directly if required by law but shall inform the Controller (ABC Ltd) without undue delay if it does so.
The Processor (XYZ Services) shall assist the Controller (ABC Ltd) with any notifications to the Information Commissioner\’s Office or to data subjects as required under the UK GDPR.
Any notification of a Personal Data breach from the Processor (XYZ Services) to the Controller (ABC Ltd) shall include the nature of the Personal Data breach (including where possible the categories and approximate number of data subjects and Personal Data records concerned) the likely consequences of the breach and the measures taken or proposed to be taken to address the breach.
The Processor (XYZ Services) shall maintain records of all Personal Data breaches including those that do not require notification.
The Processor (XYZ Services) shall notify the Controller (ABC Ltd) of any Personal Data breach by email and telephone call to the contacts set out in clause 18.
10DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION
The Processor (XYZ Services) shall assist the Controller (ABC Ltd) in conducting data protection impact assessments when required under Article 35 of the UK GDPR and in prior consultations with the Information Commissioner\’s Office as required by Article 36 of the UK GDPR.
The Controller (ABC Ltd) shall reimburse the Processor (XYZ Services) for reasonable costs incurred in providing assistance with data protection impact assessments or prior consultations.
11INTERNATIONAL TRANSFERS
The Processor (XYZ Services) shall not transfer Personal Data outside the UK unless the transfer complies with Chapter V of the UK GDPR.
Transfers of Personal Data outside the UK are contemplated to the countries and recipients set out in Annex 2.
The appropriate safeguards for such transfers shall be the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses (as applicable) as set out in Annex 2. The executed transfer tool is attached to Annex 2.
The nature and purpose of the international transfers the categories of data subjects the types of Personal Data and other details are set out in Annex 2.
12AUDIT RIGHTS
The Processor (XYZ Services) shall make available to the Controller (ABC Ltd) all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the UK GDPR and this Agreement.
The Controller (ABC Ltd) shall have the right to audit the Processor (XYZ Services)\’s compliance with this Agreement including on-site audits with reasonable notice (not less than 30 days unless in cases of emergency).
The Processor (XYZ Services) shall contribute to and cooperate with such audits.
Audits shall be limited to once per year unless the Controller (ABC Ltd) has reasonable grounds to believe the Processor (XYZ Services) is in breach of this Agreement.
The Controller (ABC Ltd) may appoint a third-party auditor provided that such third party is bound by appropriate confidentiality obligations.
The Controller (ABC Ltd) shall bear the costs of any audit unless the audit reveals material non-compliance by the Processor (XYZ Services) in which case the Processor (XYZ Services) shall reimburse the Controller (ABC Ltd) for its reasonable costs.
The Processor (XYZ Services) shall be afforded a remediation period of 30 days to address any issues identified in an audit.
13DATA RETURN OR DELETION
Upon termination or expiry of this Agreement or the main services agreement at the choice of the Controller (ABC Ltd) the Processor (XYZ Services) shall either return all Personal Data to the Controller (ABC Ltd) or delete (or irreversibly anonymise) the Personal Data (or a combination of return and then delete).
The Processor (XYZ Services) shall complete the return or deletion of Personal Data within 30 days after termination or expiry.
The Processor (XYZ Services) shall be permitted to retain Personal Data beyond this period where required for legal or regulatory purposes in which case the Processor (XYZ Services) shall inform the Controller (ABC Ltd) and ensure the confidentiality of such Personal Data.
The Processor (XYZ Services) shall use secure deletion methods (such as those meeting ISO 27001 standards or equivalent) and shall provide written certification of deletion to the Controller (ABC Ltd) upon request.
The specific instructions of the Controller (ABC Ltd) regarding the return or deletion of Personal Data upon termination of this Agreement are that the Processor (XYZ Services) shall return all Personal Data in a secure encrypted format via secure file transfer protocol to the Controller (ABC Ltd)\’s designated server and shall securely delete all copies from its systems including backups within 30 days of termination.
14DATA PROTECTION OFFICER
Each party shall designate a data protection officer if required to do so under Article 37 of the UK GDPR.
The contact details of the data protection officers (where appointed) are as follows: For the Controller (ABC Ltd): John Doe jdoe@company.com +44 20 1234 5678. For the Processor (XYZ Services): notices@processorcompany.co.uk.
The data protection officers shall be involved properly and in a timely manner in all issues relating to the protection of Personal Data and shall be able to fulfil their tasks independently.
15CONFIDENTIALITY
The Processor (XYZ Services) shall treat all Personal Data as strictly confidential and shall not disclose it to any third party without the prior written consent of the Controller (ABC Ltd) except as required by law.
Permitted disclosures of Personal Data by the Processor (XYZ Services) under the confidentiality obligations are those required by legal requirements and those made with the consent of the Controller (ABC Ltd).
The confidentiality obligations shall survive termination of this Agreement.
16INDEMNITY
The Processor (XYZ Services) shall indemnify the Controller (ABC Ltd) against all losses claims damages costs and expenses arising out of or in connection with any breach by the Processor (XYZ Services) of its obligations under this Agreement or under the UK GDPR or the Data Protection Act 2018.
The indemnity shall cover direct losses regulatory fines and legal costs.
The Controller (ABC Ltd) shall provide prompt notice to the Processor (XYZ Services) of any claim that may give rise to an indemnity obligation under this clause.
This example shows approximately 70% of a typical document and is provided for illustrative purposes only. The remaining content has been omitted.
Every document generated by Docaro is tailored to your specific circumstances, jurisdiction and the information you provide. The completed document includes all applicable clauses and provisions required for your situation.
To generate the full, personalised document, answer a short series of questions and your document will be created instantly.
Useful Resources When Considering a Data Processing Agreement in the United Kingdom
United Kingdom Reference Legislation
Data Processing Agreement FAQs
Document Generation FAQs
Related Articles




