Data processing agreement

Data Processing Agreement

Updated 14 January 2022

In this Agreement, “Data Protection Legislation” means 1) unless and until EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds the GDPR;

In this Agreement, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

Both parties to this Agreement shall comply with all applicable data protection requirements set out in the Data Protection Legislation. This Agreement shall not relieve either party of any obligations set out in the Data Protection Legislation and shall not remove or replace any of those obligations.

The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement or any other contract between the parties.

The Data Processor shall:

  • Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.


  • Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken shall be agreed between the Data Controller and the Data Processor and set out in a Schedule to the Agreement.


  • Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and


  • Not transfer any personal data outside of the European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied:


a. The Data Controller and/or the Data Processor has/have provided suitable
safeguards for the transfer of personal data;

b. Affected data subjects have enforceable rights and effective legal remedies;

c. The Data Processor complies with its obligations under the Data Protection
Legislation, providing an adequate level of protection to any and all personal data
so transferred; and

d. The Data Processor complies with all reasonable instructions given in advance by
the Data Controller with respect to the processing of the personal data.

Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);

  • Notify the Data Controller without undue delay of a personal data breach;


  • On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of the Agreement unless it is required to retain any of the personal data by law; and


  • Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Agreement and to allow for audits by the Data Controller and/or any party designated by the Data Controller.


The Data Processor shall not subcontract any of its obligations to a sub-processor with respect to the processing of personal data under this Agreement without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-processor, the Data Processor shall:

  • Enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this Agreement and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and


  • Ensure that the sub-processor complies fully with its obligations under that agreement and the Data Protection Legislation.