Data processing addendum

Price:  £45.00(Inc. 20% VAT)(£37.50 Exc. VAT)

This template data processing addendum has been designed to help you bring a services contract into line with the UK and/or EU GDPR.

Author: Alasdair Taylor
Updated: 23 January 2023
Length: 7 pages
Notes: 8 pages
Format: MS Word (.DOC)

This data processing addendum template provides for the transfer of personal data in a manner consistent with the General Data Protection Regulation or GDPR - in its original EU form and/or its derivative UK form. It can help both transferees and transferors to comply with their legal obligations relating to data transfers under the GDPR.

This addendum template can be used alongside a new services contract; alternatively, it can be used with respect to a previously-agreed services contract.

Article 28 of the  EU GDPR and its UK offspring include detailed rules on the content of contracts between organisations that act as controllers/processors of personal data and those that act as processors/sub-processors. In preparing this data processing addendum, we have tracked the specific requirements of Article 28 of the GDPR closely. Accordingly, the addendum incorporates a limitation on the transferee acting otherwise than in accordance with the written instructions of the transferor. It also includes limitations on international transfers of personal data, a requirement that confidentiality obligations be placed upon individuals who can access the data, and security requirements.

This data processing addendum comes in two (very similar) versions. The first should be used where one party to the contract is a controller and the other is a processor with respect to data transferred under the contract; the second should be used where one party is a processor and the other is a sub-processor. Neither version is suitable for controller-to-controller transfers of personal data.

If you are unsure whether your business or organisation is a controller or processor or sub-processor, you should review the guidance on the distinction published by the UK Information Commissioner's Office ( and/or the European Data Protection Board (


  1. Definitions
  2. This Addendum and the Agreement
  3. Data protection
  4. Surviving provisions


  1. Categories of data subject
  2. Types of Personal Data
  3. Purposes of processing
  4. Security measures for Personal Data
  5. Sub-processors of Personal Data


Copies of both versions of this data processing addendum are included in the following pack:

Be the first to write a review of this template using our brand new review system.