Document ID: PIMS-SUP-012
Version: 2.0 | Date: April 2025
Classification: Template — Legal Review Required
IMPORTANT: This is a template for reference purposes only. It does not constitute legal advice. All DPAs should be reviewed by qualified legal counsel before execution. This template is drafted for UK/EU GDPR compliance but should be adapted for applicable local law.
This Data Processing Agreement ("DPA" or "Agreement") is entered into between:
The Controller:
[Controller Organisation Name] ("Controller")
Registered address: [Address]
Company registration: [Number]
Data Protection Officer (if appointed): [Name / Email]
The Processor:
[Processor Organisation Name] ("Processor")
Registered address: [Address]
Company registration: [Number]
Data Protection Contact: [Name / Email]
Together, the "Parties."
Effective Date: [Date]
Reference Number: [DPA-REF-NNN]
In this Agreement:
- "Controller" means the organisation that determines the purposes and means of processing Personal Data
- "Processor" means the organisation that processes Personal Data on behalf of the Controller
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on Personal Data
- "Data Subject" means the individual to whom the Personal Data relates
- "Sub-processor" means any third party engaged by the Processor to process Personal Data
- "Applicable Law" means UK GDPR / EU GDPR and all applicable data protection legislation
- "Supervisory Authority" means the ICO (UK) or relevant national authority
2.1 This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the services described in Schedule 1 (Services Description).
2.2 The Processor shall process Personal Data only for the duration of the services agreement between the Parties, or until terminated in accordance with this DPA.
3.1 The Processor shall only process Personal Data on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries.
3.2 If the Processor is required by Applicable Law to process Personal Data beyond the Controller's instructions, the Processor shall promptly notify the Controller unless prohibited by law.
3.3 The Controller's instructions are set out in Schedule 1. Additional instructions may be given by the Controller in writing from time to time.
4.1 The Processor shall ensure that persons authorised to process Personal Data are subject to a binding duty of confidentiality.
4.2 Access to Personal Data shall be restricted to those who need it to perform the services.
5.1 The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate:
(a) Pseudonymisation and encryption of Personal Data
(b) Ensuring ongoing confidentiality, integrity, and availability of processing systems
(c) Ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident
(d) Regular testing of the effectiveness of security measures
5.2 The security measures currently implemented by the Processor are described in Schedule 2 (Technical and Organisational Measures).
6.1 The Processor shall not engage a sub-processor without prior specific or general written consent of the Controller.
6.2 The Controller grants general authorisation for the Processor to engage the sub-processors listed in Schedule 3, subject to the conditions in clause 6.3.
6.3 The Processor shall impose data protection obligations on sub-processors equivalent to those in this DPA.
6.4 The Processor shall notify the Controller of any intended changes to sub-processors at least [30] days in advance, giving the Controller the opportunity to object.
6.5 The Processor remains liable to the Controller for any breach by a sub-processor.
7.1 The Processor shall assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Applicable Law.
7.2 The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject.
7.3 The Processor shall not respond to Data Subject requests without the Controller's prior written approval, except where required by law.
8.1 The Processor shall assist the Controller in carrying out Data Protection Impact Assessments where required, by providing relevant information about the Processor's processing activities.
8.2 The Processor shall assist with any prior consultation with the Supervisory Authority where required following a DPIA.
9.1 The Processor shall notify the Controller without undue delay and in any event within 24 hours of becoming aware of a Personal Data breach involving Personal Data processed under this DPA.
9.2 The notification shall include, at minimum:
- Description of the nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Contact details of the Processor's data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
9.3 Where it is not possible to provide all information immediately, it shall be provided in phases without undue further delay.
10.1 Upon termination of the services or upon written instruction by the Controller, the Processor shall, at the Controller's choice: (a) Delete all Personal Data and certify such deletion in writing; or (b) Return all Personal Data to the Controller in a commonly used format
10.2 Any copies retained by the Processor (e.g., in backups) shall be deleted as soon as reasonably practicable, in any event within 30 days of the instruction.
10.3 The Processor shall provide a written certificate of deletion within 5 business days of completion.
11.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
11.2 The Processor shall allow for and contribute to audits and inspections conducted by the Controller or an auditor appointed by the Controller, on reasonable notice (minimum 10 business days) and during business hours. Audit costs shall be borne by the Controller unless the audit reveals a material breach.
11.3 The Processor may satisfy audit requirements by providing current ISO 27001 or SOC 2 certification, third-party audit reports, or other equivalent evidence where agreed.
12.1 The Processor shall not transfer or permit the transfer of Personal Data to a country outside the UK/EEA without the prior written consent of the Controller.
12.2 Any approved cross-border transfer shall be made subject to an appropriate transfer mechanism (adequacy decision, SCCs, BCR, or approved derogation).
12.3 Current transfer arrangements are described in Schedule 1.
13.1 Each Party shall be liable for its own acts and omissions in connection with its obligations under this DPA.
13.2 Nothing in this DPA shall limit either Party's liability for fraud, wilful misconduct, or any other liability that cannot be limited by law.
This DPA shall be governed by the laws of England and Wales / [applicable jurisdiction] and the Parties submit to the exclusive jurisdiction of the courts of England and Wales / [applicable court].
| Field | Detail |
|---|---|
| Services | [Description of services under the main agreement] |
| Nature of processing | [Collection, storage, retrieval, consultation, use, disclosure, deletion, etc.] |
| Purposes of processing | [Specific purpose(s)] |
| Duration | [Duration of services agreement / specific period] |
| Categories of Personal Data | [e.g., Name, email, address, purchase history, etc.] |
| Special Category Data | [Yes/No — if yes, specify] |
| Categories of Data Subjects | [e.g., Customers, employees, website visitors] |
| Frequency | [Continuous / periodic / one-off] |
| Cross-border transfers | [Destination countries and mechanism] |
The Processor confirms the following security measures are implemented:
| Control | Implemented |
|---|---|
| Encryption of Personal Data at rest | ☐ Yes / ☐ No |
| Encryption of Personal Data in transit (TLS 1.2+) | ☐ Yes / ☐ No |
| Multi-factor authentication for system access | ☐ Yes / ☐ No |
| Role-based access controls (least privilege) | ☐ Yes / ☐ No |
| Regular security patching and vulnerability management | ☐ Yes / ☐ No |
| Access audit logging | ☐ Yes / ☐ No |
| Employee privacy and security training | ☐ Yes / ☐ No |
| Background checks on staff with PII access | ☐ Yes / ☐ No |
| Incident response procedure | ☐ Yes / ☐ No |
| Business continuity / disaster recovery plan | ☐ Yes / ☐ No |
| ISO 27001 certification | ☐ Yes / ☐ No — Certificate: [Number/Date] |
| SOC 2 Type II report | ☐ Yes / ☐ No — Report date: [Date] |
| Regular penetration testing | ☐ Yes / ☐ No — Last test: [Date] |
| Sub-processor | Country | Service | Data Categories | Transfer Mechanism |
|---|---|---|---|---|
| [Name] | [Country] | [Service] | [Categories] | [SCCs/Adequacy/etc.] |
Signed for and on behalf of the Controller:
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: _______________________
Signed for and on behalf of the Processor:
Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: _______________________
ISO/IEC 27701:2025 PIMS Toolkit | Data Processing Agreement Template | PIMS-SUP-012 | v2.0 | Classification: Template — Legal Review Required This template requires legal review before use.