Data Processing Addendum Template for England and Wales

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Data Processing Addendum?

The Data Processing Addendum is essential when one party processes personal data on behalf of another under UK law. This document is required to comply with Article 28 of the UK GDPR and the Data Protection Act 2018, ensuring appropriate safeguards are in place for data processing activities. The DPA details processing instructions, security requirements, confidentiality obligations, and procedures for handling data subjects' rights. It becomes particularly crucial when services involve the handling of personal data, whether through cloud services, outsourcing, or other business arrangements within England and Wales.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Data Processing Addendum

A Data Processing Addendum (DPA) is a crucial legal document that governs the relationship between a data controller and data processor when personal data is processed on behalf of another party. Under England and Wales law, this addendum ensures compliance with the UK GDPR and Data Protection Act 2018, establishing clear responsibilities and safeguards for all parties involved in data processing activities.

When do you need this document?

You need a Data Processing Addendum whenever your business engages a third party to process personal data on your behalf, or when you provide data processing services to another organization. This includes situations such as using cloud storage providers, engaging marketing agencies that handle customer data, outsourcing payroll services, or contracting IT support companies that may access employee information. The addendum is also essential when working with software-as-a-service providers, customer relationship management systems, or any vendor that processes personal data as part of their service delivery. Without a properly executed DPA, you risk non-compliance with UK GDPR requirements and potential regulatory penalties.

Key legal considerations

The most critical aspect of a Data Processing Addendum is defining the processor's obligations under Article 28 of the UK GDPR. The document must specify the subject matter, duration, nature and purpose of processing, along with the types of personal data and categories of data subjects involved. Security measures form another cornerstone, requiring detailed technical and organizational measures to protect personal data against unauthorized access, disclosure, or destruction. The addendum should also address data subject rights, including procedures for handling access requests, rectification, erasure, and portability. Confidentiality obligations must be clearly stated, ensuring all processor personnel understand their responsibilities. Additionally, the document should cover data breach notification procedures, requirements for obtaining consent before engaging sub-processors, and protocols for data transfers outside the UK.

Legal requirements in England and Wales

Under England and Wales law, the UK GDPR mandates that processing contracts must be in writing and include specific mandatory clauses outlined in Article 28. The Data Protection Act 2018 provides additional requirements for certain types of processing activities. The addendum must comply with the Privacy and Electronic Communications Regulations (PECR) when electronic communications are involved. For organizations providing essential services or digital services, the Network and Information Systems Regulations 2018 may impose additional cybersecurity requirements. The document should also consider the common law duty of confidentiality that applies in England and Wales. Importantly, the addendum must address international data transfers, particularly post-Brexit arrangements, ensuring adequate safeguards are in place when data moves outside the UK. Failure to include these mandatory provisions can result in regulatory action by the Information Commissioner's Office and potential penalties of up to 4% of annual turnover or £17.5 million, whichever is higher.

GOVERNING LAW

Applicable law

This Data Processing Addendum is drafted to comply with England and Wales law. Key legislation includes:

UK GDPR: The UK General Data Protection Regulation - the primary data protection legislation in the UK post-Brexit, setting out the key principles, rights and obligations for processing personal data

Data Protection Act 2018: The UK's implementation of data protection legislation that works alongside and supplements the UK GDPR, providing additional local requirements and exemptions

PECR: Privacy and Electronic Communications Regulations - specific rules for electronic communications, including electronic marketing, cookies and privacy in telecommunications

NIS Regulations 2018: Network and Information Systems Regulations - focusing on cybersecurity requirements for essential services and digital service providers

Common Law Duty of Confidentiality: Legal principle requiring information shared in confidence to be protected and only disclosed with permission or legal requirement

EU GDPR: European Union General Data Protection Regulation - relevant for cross-border data transfers between UK and EU, and when dealing with EU data subjects

UK IDTA: UK International Data Transfer Agreement - mechanism for ensuring adequate protection when transferring personal data outside the UK

Standard Contractual Clauses: Standard contractual terms approved by regulatory authorities for international data transfers

ICO Guidance: Official guidance from the Information Commissioner's Office, the UK's data protection regulator, providing practical interpretation of data protection requirements

EDPB Guidelines: European Data Protection Board guidelines providing interpretation and consistency in application of data protection rules, relevant for UK-EU relationships

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it