GDPR Clause in UK Contracts: What It Means & Example Wording

When to Include a GDPR Clause

• In any contract where personal data is processed, shared, or transferred between parties — especially where one party acts as a data processor
• In international contracts where personal data crosses borders between the UK and other jurisdictions
• In technology and SaaS agreements where the service provider stores or processes user personal data

Example Wording

This example wording is illustrative only. Customise it to your specific circumstances and consider seeking legal advice.

Is a GDPR Clause Enforceable in the UK?

GDPR clauses are enforceable and reflect mandatory legal requirements under the UK GDPR and Data Protection Act 2018. Contracts that fail to include required data processing terms expose both parties to regulatory enforcement by the ICO. The UK GDPR requires that processing by a processor is governed by a contract that sets out the subject matter, duration, nature and purpose of the processing, the type of personal data, and the categories of data subjects. International data transfer mechanisms (UK SCCs, adequacy decisions, or binding corporate rules) must also be contractually documented.

Common Mistakes

• Using EU GDPR template clauses without adapting them for the UK GDPR — since Brexit, the UK has its own data protection regime and referencing 'EU GDPR' or 'EU supervisory authorities' in a UK contract is incorrect
• Failing to address international data transfers — if data moves between the UK and countries without an adequacy decision, appropriate safeguards must be contractually documented
• Not specifying breach notification timeframes — the UK GDPR requires notification to the ICO within 72 hours of becoming aware of a breach, and the contract should require the processor to notify the controller even sooner