Data Processing Addendum Template for England and Wales
Generate a bespoke document
What is a Data Processing Addendum?
The Data Processing Addendum is essential when one party processes personal data on behalf of another under UK law. This document is required to comply with Article 28 of the UK GDPR and the Data Protection Act 2018, ensuring appropriate safeguards are in place for data processing activities. The DPA details processing instructions, security requirements, confidentiality obligations, and procedures for handling data subjects' rights. It becomes particularly crucial when services involve the handling of personal data, whether through cloud services, outsourcing, or other business arrangements within England and Wales.
About the Data Processing Addendum
A Data Processing Addendum (DPA) is a crucial legal document that governs the relationship between a data controller and data processor when personal data is processed on behalf of another party. Under England and Wales law, this addendum ensures compliance with the UK GDPR and Data Protection Act 2018, establishing clear responsibilities and safeguards for all parties involved in data processing activities.
When do you need this document?
You need a Data Processing Addendum whenever your business engages a third party to process personal data on your behalf, or when you provide data processing services to another organization. This includes situations such as using cloud storage providers, engaging marketing agencies that handle customer data, outsourcing payroll services, or contracting IT support companies that may access employee information. The addendum is also essential when working with software-as-a-service providers, customer relationship management systems, or any vendor that processes personal data as part of their service delivery. Without a properly executed DPA, you risk non-compliance with UK GDPR requirements and potential regulatory penalties.
Key legal considerations
The most critical aspect of a Data Processing Addendum is defining the processor's obligations under Article 28 of the UK GDPR. The document must specify the subject matter, duration, nature and purpose of processing, along with the types of personal data and categories of data subjects involved. Security measures form another cornerstone, requiring detailed technical and organizational measures to protect personal data against unauthorized access, disclosure, or destruction. The addendum should also address data subject rights, including procedures for handling access requests, rectification, erasure, and portability. Confidentiality obligations must be clearly stated, ensuring all processor personnel understand their responsibilities. Additionally, the document should cover data breach notification procedures, requirements for obtaining consent before engaging sub-processors, and protocols for data transfers outside the UK.
Legal requirements in England and Wales
Under England and Wales law, the UK GDPR mandates that processing contracts must be in writing and include specific mandatory clauses outlined in Article 28. The Data Protection Act 2018 provides additional requirements for certain types of processing activities. The addendum must comply with the Privacy and Electronic Communications Regulations (PECR) when electronic communications are involved. For organizations providing essential services or digital services, the Network and Information Systems Regulations 2018 may impose additional cybersecurity requirements. The document should also consider the common law duty of confidentiality that applies in England and Wales. Importantly, the addendum must address international data transfers, particularly post-Brexit arrangements, ensuring adequate safeguards are in place when data moves outside the UK. Failure to include these mandatory provisions can result in regulatory action by the Information Commissioner's Office and potential penalties of up to 4% of annual turnover or £17.5 million, whichever is higher.
GOVERNING LAW
Applicable law
This Data Processing Addendum is drafted to comply with England and Wales law. Key legislation includes:
Explore 208,390+ legal templates
Explore 208,390+ legal templates
Genie's Security Promise
Genie is the safest place to draft. Here's how we prioritise your privacy and security.
Your data is private:
We do not train on your data; Genie's AI improves independently
All data stored on Genie is private to your organisation
Your documents are protected:
Your documents are protected by ultra-secure 256-bit encryption
We are ISO27001 certified, so your data is secure
Organizational security:
You retain IP ownership of your documents and their information
You have full control over your data and who gets to see it