Data processing agreement

Price:  £45.00(Inc. 20% VAT)(£37.50 Exc. VAT)
  (1 Review)

A data processing agreement template to help businesses comply with data protection law, including compliance with the EU and/or UK GDPRs.

Author: Alasdair Taylor
Updated: 23 January 2023
Length: 10 pages
Notes: 11 pages
Format: MS Word (.DOCX)

This data processing agreement will help data controllers to transfer personal data to processors and will help processors to make onward transfers of personal data to sub-processors, in each case in a General Data Protection Regulation (GDPR)-compliant manner.

The data processing agreement may be used as a stand-alone document, but more commonly it will be used to supplement an existing contract under which data, including personal data, is processed.

The approach we have taken in preparing this data processing agreement is to closely shadow the requirements of the GDPR (in both its EU and UK forms). Clauses included in the agreement cover, for example, obligations on the processor to act only on the instructions of the data controller in relation to the processing of the data and to delete the personal data after the end of the contract.

The "variables" which may be associated with a data processing agreement, such as the identification of data subject categories, are set out in a schedule to the agreement. Another optional schedule may be used to incorporate the EU standard contractual clauses and/or UK international data transfer agreement/addendum for international transfers into the agreement.

Before using this template, you will need to clearly identify the roles of the parties within the scheme defined by the GDPRs. Is the party a controller, a processor or a sub-processor? To illustrate the different categories of actor here: imagine a social network that buys in hosting from a hosting services reseller.  A social network operator would usually be a controller, while a hosting services reseller providing services to the operator would usually be a processor, and the ultimate provider of the hosting services would be a sub-processor of the reseller.

  1. Definitions
  2. Supplemental
  3. Term
  4. Consideration
  5. Data protection
  6. Limits upon exclusions of liability
  7. Termination
  8. Effects of termination
  9. Notices
  10. General
  11. Interpretation


  1. Categories of data subject
  2. Types of Personal Data
  3. Purposes of processing
  4. Security measures for Personal Data
  5. Sub-processors of Personal Data


Does this document reflect the requirements of the GDPR?

Yes, this is a GDPR-friendly processing agreement. Remember, however, that there is much more to GDPR compliance than having the correct contracts in place.

Can the controller/processor document be used for processor-to-sub-processor contracts?

It would not be difficult to adapt its for these circumstances, but some terminological changes would be needed.

Copies of both versions of this data processing agreement are included in this pack:

Average rating (1 Review):  
write a review and share your opinions!

Excellent and easy to use
21 December 2018  | 

1 hour with this template and I had a more comprehensive DPA than anything I've seen from our clients - and that includes top tier law firms. It's clear, simple and by default includes a wide variety of eventualities. Thank you.


Thanks very much for the review Alexander - really appreciated. The main issue I see with customer DPAs is that they often seek to impose specific procedural obligations on services providers in relation to matters which affect large numbers of other customers (e.g. in relation to the appointment of sub-processors). It usually makes more sense for the services provider to prepare the DPA.