Data Processing Agreement (DPA) meaning

STOP PRESS: This document is being updated to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025) which amends the UK GDPR and Data Protection Act 2018. For detailed advice on DUAA 2025’s compliance impact, consult Practice Note: Data (Use and Access) Act 2025—compliance implications. The Practice Note outlines the real-world considerations for commercial organisations planning to disclose or obtain personal data. It reflects the obligations set by the UK General Data Protection Regulation (UK GDPR), Assimilated Regulation (EU) 2016/679, the Data Protection Act 2018 (DPA 2018), and the Information Commissioner’s Office (ICO) Data sharing code of practice. The ICO is legally required to issue a data sharing code and to have regard to it when applying its regulatory functions. Where relevant, courts must likewise take the Data sharing code of practice into account. The ICO Code offers pragmatic direction to organisations on meeting their data protection duties when sharing personal data. Its purpose is to support the transparent, lawful, and fair exchange of personal data....

ARCHIVED: This archived Practice Note sets out key details of the data protection regime before 25 May 2018 and records the legal position under the Data Protection Act 1998 (DPA 1998). This Practice Note is provided for general background purposes only and is not currently maintained. Background to consent To meet the first data protection principle in the DPA 1998, as stemming from Directive 95/46/EC (the Data Protection Directive), data controllers must be able to evidence, among other things, that they have satisfied: one of the conditions for processing personal data under DPA 1998, Sch 2; and if the data amounts to sensitive personal data, then, in addition, one of the conditions for processing sensitive personal data under: DPA 1998, Sch 3; or under the Data Protection (Processing of Sensitive Personal Data) Order 2000, SI 2000/417, which sets out extra conditions permitting the processing of sensitive personal data in limited circumstances. ...

ARCHIVED: This archived Practice Note sets out details of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419, together with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020, SI 2020/1586, plus salient elements of the EU-UK Withdrawal Agreement and the EU-UK Trade and Cooperation Agreement insofar as they concern data protection. It is no longer updated and is provided for background only. For guidance on continuing divergence between data protection requirements under the GDPR frameworks, refer to Practice Note: Introduction to the EU GDPR and UK GDPR. This Practice Note examines how Brexit affects routine processing of personal data under the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), which took direct effect in the UK and all other EU Member States on 25 May 2018, and, since its inclusion in the EEA Agreement, has governed personal data processing throughout the EEA (the EU alongside Iceland, Norway and Liechtenstein). In the UK, incorporation of the EU GDPR...

This Agreement is entered into on [ date ] Parties [ Insert name of supplier ], a company incorporated in [ England and Wales ] under number [ insert registered number ], with its registered office at [ insert address ] (Supplier); and [ Insert name of customer ], a company incorporated in [ England and Wales ] under number [ insert registered number ], with its registered office at [ insert address ] (Customer). Each of the Supplier and the Customer is a party, and together the Supplier and the Customer constitute the parties. Background The Supplier is a seasoned provider of [ insert details ]. This Agreement regulates all processing of Protected Data carried out by the Supplier under, and in relation to, [ the Principal Agreement OR all of Our Arrangements ]. ...