UK GDPR Data Processing Agreement Guide (Article 28) — 2025

📋 Article 28🇬🇧 UK GDPR⚖️ ICO🔒 Sub-Processors🆓 Template Available
June 202510 min readClickMasters Legal Team

Direct Answer

UK GDPR Article 28 requires a written contract between a data controller (the client) and a data processor (a software supplier processing personal data on the controller's behalf). Without a valid Data Processing Agreement (DPA), the controller is in breach of UK GDPR. ClickMasters provides a UK GDPR Article 28-compliant DPA with every engagement involving personal data processing.

Controller vs Processor — The Critical Distinction

This guide covers the UK GDPR Data Processing Agreement requirements as of June 2025. This is general information — consult a data protection solicitor for your specific circumstances. The ICO publishes guidance on Article 28 contracts at ico.org.uk.

RoleDefinitionExampleUK GDPR Obligations
Data ControllerDetermines the purposes and means of processingUK law firm (decides why client data is processed)All UK GDPR obligations apply directly
Data ProcessorProcesses personal data on behalf of a controllerClickMasters (processes client data to deliver software)Specific Article 28 obligations, plus Article 32 security
Joint ControllerTwo+ parties jointly determine purposes/meansTwo hospitals running a shared patient record systemBoth parties responsible — Article 26 required

What Must a UK GDPR Article 28 DPA Include?

Article 28(3) sets out mandatory terms. A DPA that omits any of these is non-compliant:

Mandatory Term

Article 28(3) Reference

What to Include

Process only on documented instructions

Art 28(3)(a)

Scope of processing, specific purposes, lawful basis reference

Confidentiality obligation

Art 28(3)(b)

Processor staff bound by confidentiality (employment contract or separate NDA)

Security measures

Art 28(3)(c) + Art 32

Technical and organisational measures — reference Annex (see below)

Sub-processor restrictions

Art 28(3)(d)

Prior written authorisation required; same obligations on sub-processors

Data subject rights assistance

Art 28(3)(e)

Processor assists controller in responding to DSARs, erasure requests

Assist with compliance obligations

Art 28(3)(f)

Security, breach notification (within 24/48 hours to controller), DPIAs, consultations with ICO

Delete or return data at end

Art 28(3)(g)

Delete or return all personal data at contract end — controller's choice

Provide audit evidence

Art 28(3)(h)

Allow audits/inspections by controller or appointed auditor

Article 32 Security Annex — What to Include

Encryption at rest: AES-256 for all personal data at rest (database, backups, S3).

Encryption in transit: TLS 1.2 minimum, TLS 1.3 preferred, for all personal data in transit.

Access controls: RBAC with least privilege, MFA for admin accounts, unique accounts per user.

Vulnerability management: Dependabot automated CVE scanning, OS patches within 14 days (Cyber Essentials).

Penetration testing: annual CREST penetration test for systems processing special category data.

Incident response: breach notification to controller within 24 hours of discovery.

Cyber Essentials: certified annually — certificate available on request.

The security measures in the DPA Annex should reflect the Article 32 risk-based approach. For ClickMasters engagements:

Sub-Processor Management

Sub-ProcessorPurposeLocationData Transfer Mechanism
Amazon Web Services (AWS)Cloud infrastructure, databases, storageeu-west-2 (London) — UK data residencyAWS Data Processing Addendum (DPA)
GitHub (Microsoft)Source code repository, CI/CD (code only — no live personal data)US — IDTA appliesMicrosoft Online Services DPA
Datadog (optional)Application performance monitoring, logsEU region configurableDatadog DPA + SCCs/IDTA
Stripe (payment projects only)Payment processingUK/EUStripe Data Processing Agreement

IDTA — International Data Transfer Addendum

Post-Brexit: transfers of UK personal data from the UK to non-adequate countries (including the US) require either the ICO's IDTA (International Data Transfer Addendum) or the UK GDPR Addendum to EU SCCs. The IDTA is the ICO's mechanism for authorising UK→US data transfers. AWS, GitHub, and Stripe all offer UK GDPR-compliant IDTAs. ClickMasters ensures all sub-processor IDTAs are in place for UK personal data transfers.

Frequently Asked Questions

Common questions about uk gdpr data processing agreement guide (article 28) — 2025.

Yes — ClickMasters provides a UK GDPR Article 28-compliant Data Processing Agreement with every engagement that involves personal data processing. The DPA is included in the ClickMasters master services agreement. A sub-processor list (updated when sub-processors change) is published on our website and provided on request.

Article 28(3)(h) gives the controller the right to audit the processor. ICO may contact the processor directly in an investigation. ClickMasters maintains: UK GDPR compliance documentation, Cyber Essentials certificate, annual penetration test report, and Article 28 DPAs with all sub-processors. These are available to controllers on request for audit purposes.

Only when ClickMasters processes personal data on the client's behalf. Building a system (software development) where ClickMasters does not access live personal data: typically no DPA required (unless development uses real data — anonymised test data is preferred). Hosting and operating a system with live personal data: DPA required. Ongoing managed services or support with production access: DPA required.

About the Author

ClickMasters Legal Team UK GDPR compliance specialists This guide is for information only. Consult a data protection solicitor for your specific situation.

Request a ClickMasters UK GDPR DPA...

Request a ClickMasters UK GDPR DPA ClickMasters provides a compliant Article 28 DPA with every engagement. Download our template or contact us. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation