Data Processing Agreement (GDPR) — Step 1 of 10 — Online Contracts UK
← All documents
🔐 Data Processing Agreement (GDPR)
Step 1/10
Step 1 of 10
Data Controller
ℹ️ Data Processing Agreements — Legal background

UK GDPR Article 28 requires a written contract between a data controller and any data processor. This is mandatory — not optional. Common examples: cloud hosting providers, payroll providers, marketing agencies, and IT support companies all act as processors for their clients.

  • Mandatory under UK GDPR Art. 28 — failure is a breach
  • Controller: decides why and how data is processed
  • Processor: processes data only on controller's instructions
  • Sub-processors: processor must get controller's consent to use sub-processors
  • ICO: standard contractual clauses available but bespoke DPAs are also valid

Legal reference: UK GDPR Article 28; Data Protection Act 2018; ICO guidance

← All docs