Data Protection Clause in UK Contracts: What It Means & Example Wording
A data protection clause sets out the obligations of the parties in relation to the processing of personal data under the contract. Since the UK left the EU, data protection in the UK is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where one party processes personal data on behalf of the other, a data processing agreement (DPA) or data processing clause is legally required under Article 28 of the UK GDPR.
Last updated: February 2025
When to Include a Data Protection Clause
- In every contract where one party will process personal data on behalf of the other — a data processing clause or separate DPA is a legal requirement under Article 28 UK GDPR
- In employment contracts to explain how employee personal data will be processed, retained, and protected
- In any agreement involving the sharing of customer, client, or employee personal data between organisations
Example Wording
This example wording is illustrative only. Customise it to your specific circumstances and consider seeking legal advice.
Is a Data Protection Clause Enforceable in the UK?
Data protection clauses are enforceable and, in the context of data processing agreements, are a legal requirement under Article 28 UK GDPR. The Information Commissioner's Office (ICO) can take enforcement action against both controllers and processors who fail to have appropriate contractual provisions in place. Fines for serious breaches of the UK GDPR can be up to £17.5 million or 4% of annual global turnover, whichever is higher.
Common Mistakes
- Failing to include a data processing clause at all when one party processes data on behalf of the other — this is a breach of Article 28 UK GDPR
- Not specifying the subject matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects — all required by Article 28
- Using a generic data protection clause instead of a tailored DPA — the ICO expects specific, detailed provisions that reflect the actual processing activities
FAQ
Do I need a data processing agreement for every contractor?
You need a data processing agreement (or clause) whenever a contractor processes personal data on your behalf as a data processor. If the contractor only accesses personal data incidentally and does not determine the purposes or means of processing, they may not be a processor. However, in practice, most contractors who handle any personal data will fall within the definition.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data — essentially deciding why and how data is processed. A data processor processes personal data on behalf of the controller, following the controller's instructions. The distinction matters because controllers have more obligations and greater liability under the UK GDPR.
Related Clauses
GDPR Clause
A GDPR clause addresses compliance with the UK General Data Protection Regulatio...
Confidentiality Clause
A confidentiality clause (also known as a non-disclosure obligation) requires on...
Data Protection Clause
A data protection clause sets out the obligations of the parties in relation to ...
Generate contracts with the right clauses
AccountsOS generates UK-compliant contracts with all the clauses your business needs. From £10/month.
Get Started FreeThis is guidance for UK businesses, not legal advice. Example wording is illustrative. Consult a solicitor for complex matters.
View all clause explainers