UK Data Processing Agreement: Article 28 UK GDPR Guide

A data processing agreement (DPA) is the written contract that Article 28 of the UK GDPR requires between a UK controller and any processor that handles personal data on the controller's behalf. Without it, using a third-party service for personal data of UK residents is unlawful, regardless of how reputable the service is.

The ICO's controller-processor contracts guidance is the primary UK reference. The Data Protection Act 2018 gives the UK GDPR domestic effect. The ICO may impose fines of up to £17.5 million or 4% of global annual turnover for serious violations.

Want to see which third-party services your site loads and may need a DPA for? Run a free TrustYourWebsite scan.

Controller vs processor: the 30-second test

You are the controller when you decide why personal data is collected and how it is used. Your customers' names, email addresses and purchase history belong to you as controller.

A third party is a processor when it processes personal data only on your documented instructions. It does not repurpose the data for its own ends beyond what the contract allows.

Three signals indicate a processor relationship:

• The service receives or accesses personal data you have collected
• The service acts on your instructions, not on its own purposes
• The service does not determine its own processing goals beyond what you authorise

Some services act as independent controllers. They receive data from your site and use it for their own purposes. Examples are advertising platforms running their own targeting systems and payment processors running their own fraud detection. The contract obligation differs: independent controllers need a privacy notice disclosure, not an Article 28 DPA.

Which services on a UK website are usually processors?

The classification matters because it determines what contract you need. Processors need Article 28 DPAs. Independent controllers need a disclosed controller-to-controller relationship in your privacy notice.

What Article 28(3) UK GDPR requires the DPA to cover

Article 28(3) UK GDPR sets out the subjects every processor contract must address. The ICO's controller-processor contracts guidance maps directly to these requirements.

If you cannot locate each of these in the DPA you signed, you do not have a compliant UK GDPR DPA.

UK post-Brexit context: what changed on 1 January 2021

The UK left the EU single market on 1 January 2021. The UK GDPR is a retained version of the EU GDPR with the same Article 28 text. Three things are different for UK controllers:

Supervisory authority. The ICO is the UK supervisory authority, not the EDPB or any EU DPA. ICO enforcement decisions and guidance apply, not CNIL, BfDI or other EU authority decisions.

No UK-specific Article 28 SCCs. The ICO has not adopted bespoke UK controller-to-processor standard contractual clauses equivalent to the EU Commission's Implementing Decision 2021/915. UK controllers can use the 2021/915 template as a drafting baseline because it maps to Article 28(3), but it is not a formally ICO-approved instrument in the same way as the IDTA. A bespoke DPA that covers every Article 28(3) item is equally valid and often preferable.

International transfers out of the UK use different instruments. If your UK processor sends data outside the UK (for example, a UK email tool that uses US infrastructure), the relevant transfer mechanism is the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. The EU Commission's Decision 2021/914 SCCs for international transfers do not apply to transfers leaving the UK. They apply to transfers leaving the EEA. This is a genuine post-Brexit divergence that UK controllers must handle correctly when onboarding processors with non-UK infrastructure.

How reputable UK vendors structure their DPAs

Most enterprise vendors offer a click-to-accept DPA recorded in the account audit log.

• Stripe: Data Processing Addendum accepted from Stripe Dashboard under Settings > Compliance.
• Google Workspace or Google Analytics: Data Processing Amendment auto-accepted on account creation. Specific terms link from the admin console.
• Cloudflare: Data Processing Addendum accepted from the dashboard.
• Mailchimp: DPA available from the Compliance page in the user portal. Click-to-accept.
• HubSpot: Data Processing Agreement linked from the customer terms. Auto-accepted with the master subscription agreement.

Archive the acceptance confirmation. A screenshot or downloaded PDF is your evidence in an ICO investigation.

ICO enforcement signals

The ICO checks for documented Article 28 contracts in every investigation involving a processor-related breach. A missing DPA is treated as a standalone Article 28 violation in addition to any underlying security failure. The ICO's annual report and published enforcement decisions show that processor-related findings consistently appear as aggravating factors when organisations are fined.

The ICO's direct marketing guidance and sector-specific enforcement records confirm that small businesses are not exempt from Article 28 requirements. The obligation scales to every size of organisation.

What to do when a vendor refuses

If a vendor has no DPA and refuses to provide one, three options:

1. Replace the vendor with one that offers a compliant DPA. Almost always the right move.
2. Use the 2021/915 template clauses as a drafting baseline and ask the vendor to sign. Some smaller vendors accept a template because it removes drafting cost.
3. Stop sending personal data to the vendor. If the function can be performed without personal data, the Article 28 obligation does not arise.

Continuing to use a non-compliant vendor in production is not an option. The ICO checks for compliant contracts on every processor-related inspection.

Sub-processors: the chain-of-custody requirement

Article 28(2) UK GDPR requires prior written authorisation from the controller before the processor engages a sub-processor. Most vendor DPAs operationalise this as general authorisation: the controller authorises the processor's current sub-processor list plus future additions, with a right to object within a notice period.

Practical steps:

• Request each vendor's current sub-processor list at onboarding
• Subscribe to sub-processor change notifications if the vendor offers them
• Record sub-processors in the Article 30 record of processing activities (the internal log of what data you process and why)
• If a vendor adds a sub-processor in a high-risk country, check the international transfer mechanism before the change takes effect

Common mistakes

No DPA before processing starts. Adding the DPA after processing has already begun does not fix the prior breach. Sign before integration.

DPA covers only some Article 28(3) subjects. Especially common: missing audit clause, missing sub-processor authorisation and missing return-or-delete clause.

Click-to-accept record lost on staff turnover. The DPA was accepted by a previous administrator and no one can locate the record. Archive acceptance in a system that survives staff changes.

Processor also acts as independent controller. Some vendors process your data as a processor (for your use of the service) and separately as an independent controller (for their own analytics or product development). The DPA must distinguish these roles clearly.

Free-tier vendor with no DPA. Free pricing does not exempt a vendor from Article 28. If no DPA is available, the service cannot be used for UK personal data in production.

Practical onboarding workflow for UK SMBs

For each new third-party service that will receive personal data:

1. Identify the processing role (processor, joint controller or independent controller)
2. Locate the vendor's DPA in their documentation or legal pages
3. Verify the DPA covers the Article 28(3) subjects in the checklist above
4. Accept the DPA and archive proof of acceptance
5. Note the UK international transfer mechanism: UK adequacy regulations, IDTA, UK Addendum to EU SCCs or binding corporate rules (BCRs, usually only relevant to multinational groups)
6. Add the vendor to the Article 30 record of processing activities
7. Add the vendor to the recipients section of your privacy notice
8. Subscribe to sub-processor change notifications

Final checklist

• Inventory of every third-party service that receives personal data
• DPA in place for each processor before processing begins
• DPA covers all Article 28(3) UK GDPR subjects
• Proof of acceptance archived and accessible to current staff
• Sub-processor list current and reflected in the Article 30 record
• UK international transfer mechanism noted per processor (IDTA or UK Addendum where applicable)
• DPA review scheduled at least annually
• Process to evaluate new vendors before procurement

For the broader UK GDPR compliance picture, see the UK GDPR compliance guide for UK businesses and the privacy policy requirements under UK GDPR. The ICO investigation process guide explains what an ICO audit looks like in practice.

---

This is technical analysis, not legal advice. For enterprise SaaS contracts with custom processing terms or active ICO investigations, consult a solicitor who specialises in data protection.

Sources

• UK GDPR (Regulation (EU) 2016/679 as retained in UK law) (legislation.gov.uk)
• UK GDPR, Article 28: Processor (legislation.gov.uk)
• Data Protection Act 2018 (legislation.gov.uk)
• ICO guidance for organisations on data protection (ico.org.uk)
• ICO international data transfers guidance (ico.org.uk)
• ICO enforcement action register (ico.org.uk)