Data Processing Agreement (DPA) — Art.28 UK GDPR Template

Mandatory when working with any sub-processor who accesses personal data — accountants, IT companies, marketing agencies, hosting providers. Fillable Word template with dual signature page.

Covers:

- Processor obligations under Art.28 UK GDPR

- Security measures table (Art.32) — encryption, access control, backup, training

- Sub-processor management with 14-day objection window

- Breach notification — 24hr to Controller → 72hr ICO chain

- UK International Data Transfer Agreements (IDTAs) and SCCs

- Data return and deletion within 30 days of termination

- Audit rights — including SOC 2 / ISO 27001 as alternative

Aligned with UK GDPR, Data Protection Act 2018 and ICO guidance.

Delivered as .docx (Microsoft Word) — fully editable and adaptable.