1-2 hoursMedium

How to Add GDPR Clauses to Contracts

Add GDPR clauses to contracts by identifying the data protection roles (controller/processor), including mandatory Article 28 processor terms where applicable, adding data sharing provisions for controller-to-controller arrangements, and ensuring clauses cover security, breach notification, and data subject rights.

Last updated: February 2025

Step-by-Step Guide

1

Identify the data protection relationship

Determine whether each party is a controller, processor, or joint controller. This determines which clauses are needed.

Tips
  • A processor acts on the controller's instructions; a controller determines the purposes and means of processing.
2

Draft controller-to-processor clauses

If one party is a processor, include mandatory Article 28 terms covering processing instructions, security, sub-processors, breach notification, audits, and data deletion.

Tips
  • Use the ICO's standard clauses as a starting point.
3

Draft controller-to-controller clauses

If both parties are independent controllers, include provisions on lawful basis for sharing, data minimisation, security, breach notification, and data subject rights handling.

Tips
  • Each controller is independently responsible for compliance.
4

Address international transfers

If data will be transferred outside the UK, include appropriate safeguards such as the UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses.

Tips
  • Check whether the destination country has a UK adequacy decision.
5

Include general compliance obligations

Add mutual obligations to comply with UK GDPR, cooperate on data subject requests, maintain records of processing, and provide data protection impact assessment assistance.

Tips
  • Include a right to terminate if the other party fails to comply with data protection obligations.

Legal Requirements

UK GDPR Article 28 requires a written contract between controller and processor with specific mandatory terms. Article 26 requires joint controllers to have a transparent arrangement. The Data Protection Act 2018 supplements UK GDPR with domestic provisions. The ICO can fine organisations up to £17.5 million or 4% of global annual turnover for non-compliance.

Common Mistakes

Misidentifying the data protection roles, leading to incorrect clauses being used
Using a full DPA when a simple data sharing clause would suffice for controller-to-controller arrangements
Not addressing international data transfers when using cloud services

Template / Example

Data Protection Clause: Each party shall comply with UK GDPR and the Data Protection Act 2018. Where [Party B] processes personal data on behalf of [Party A], the terms in Schedule [X] (Data Processing Agreement) shall apply. Each party shall notify the other of any personal data breach without undue delay.

When to Get a Solicitor

If the contract involves special category data, large-scale processing, international transfers, or if you are unsure about the data protection roles.

FAQ

Do all contracts need GDPR clauses?

Only contracts where personal data is shared or processed need GDPR clauses. If no personal data is involved in the commercial arrangement, data protection clauses are not required.

What is the difference between a DPA and a GDPR clause in a contract?

A GDPR clause is a brief provision in the main contract confirming compliance obligations. A DPA (Data Processing Agreement) is a detailed schedule or separate agreement with the mandatory Article 28 terms, used specifically when one party processes data on behalf of the other.

Related Guides

How to Create a Data Processing Agreement

1-2 hoursMedium

How to Write a Privacy Policy

1-2 hoursMedium

Let AccountsOS handle this for you

Our AI generates UK-compliant contracts and guides you through every step. From £10/month.

Get Started Free

This is guidance, not legal advice. Consult a solicitor for complex matters.

View all how-to guides