Data Processing Agreement in accordance with the UK GDPR

According to the United Kingdom General Data Protection Regulation (UK GDPR), every company that wishes to commission a service provider to process personal data on the company’s behalf must have a Data Processing Agreement (i.e. an agreement or a contract for data processing on behalf of a controller) in place.

Such processors may be HR software providers, advertising and marketing agencies, cloud computing providers, web or e-mail hosting companies or freelancers.

The free Data Processing Agreement template from activeMind.legal UK Ltd. helps both controller and processor meet their obligations when processing personal data.

Frequently asked questions

The UK GDPR has increased the obligations on both controllers and processors. One obligation is to enter into a legally binding contract governing the processing of personal data when a processor (service provider) is commissioned to process personal data on behalf of the controller (the client).

The Data Processing Agreement specifies the rights and obligations of the controller and the processor as well as sub-processors, if applicable. In this way, it is easier to meet the accountability and joint-liability requirements of the UK GDPR.

The agreement for processing on behalf of a controller ensures that all parties involved properly process personal data; it establishes the primary requirements for the processor to adhere to prior to processing data on behalf of the controller. Thus, among other stipulations, the contract guarantees that the processor only processes the data entrusted to him/her upon the instructions of the controller.

Above all, the processor is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the processor, the controller is granted auditory rights in the contract.

The data protection agreement has to be adapted to the respective processors and their functions. An important component of the contract is an appendix that details the technical and organizational measures with which the processor guarantees an adequate data protection and information security standard.