employmentfreelancercommercial

Data Protection Clause in UK Contracts: What It Means & Example Wording

A data protection clause sets out the obligations of the parties in relation to the processing of personal data under the contract. Since the UK left the EU, data protection in the UK is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where one party processes personal data on behalf of the other, a data processing agreement (DPA) or data processing clause is legally required under Article 28 of the UK GDPR.

Last updated: February 2025

When to Include a Data Protection Clause

  • In every contract where one party will process personal data on behalf of the other — a data processing clause or separate DPA is a legal requirement under Article 28 UK GDPR
  • In employment contracts to explain how employee personal data will be processed, retained, and protected
  • In any agreement involving the sharing of customer, client, or employee personal data between organisations

Example Wording

Each party shall comply with its obligations under the Data Protection Legislation (meaning the UK GDPR, the Data Protection Act 2018, and all related legislation). Where the Supplier processes personal data on behalf of the Client, the Supplier shall: (a) process the personal data only on documented instructions from the Client; (b) ensure that persons authorised to process the personal data are subject to confidentiality obligations; (c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; (d) not engage a sub-processor without the Client's prior written consent; (e) assist the Client in responding to data subject access requests; and (f) delete or return all personal data on termination of the Agreement. Note: This is illustrative wording only and should be tailored by a qualified legal professional.

This example wording is illustrative only. Customise it to your specific circumstances and consider seeking legal advice.

Is a Data Protection Clause Enforceable in the UK?

Data protection clauses are enforceable and, in the context of data processing agreements, are a legal requirement under Article 28 UK GDPR. The Information Commissioner's Office (ICO) can take enforcement action against both controllers and processors who fail to have appropriate contractual provisions in place. Fines for serious breaches of the UK GDPR can be up to £17.5 million or 4% of annual global turnover, whichever is higher.

Common Mistakes

  • Failing to include a data processing clause at all when one party processes data on behalf of the other — this is a breach of Article 28 UK GDPR
  • Not specifying the subject matter, duration, nature, and purpose of the processing, the type of personal data, and the categories of data subjects — all required by Article 28
  • Using a generic data protection clause instead of a tailored DPA — the ICO expects specific, detailed provisions that reflect the actual processing activities

FAQ

Do I need a data processing agreement for every contractor?

You need a data processing agreement (or clause) whenever a contractor processes personal data on your behalf as a data processor. If the contractor only accesses personal data incidentally and does not determine the purposes or means of processing, they may not be a processor. However, in practice, most contractors who handle any personal data will fall within the definition.

What is the difference between a data controller and a data processor?

A data controller determines the purposes and means of processing personal data — essentially deciding why and how data is processed. A data processor processes personal data on behalf of the controller, following the controller's instructions. The distinction matters because controllers have more obligations and greater liability under the UK GDPR.

Generate contracts with the right clauses

AccountsOS generates UK-compliant contracts with all the clauses your business needs. From £10/month.

Get Started Free

This is guidance for UK businesses, not legal advice. Example wording is illustrative. Consult a solicitor for complex matters.

View all clause explainers