Skip to content
Platform|Embed
ContactAboutNewsReviewsBook a demo
Support
Custom templatesCreate templates in DocueReady-made legal templates150+ lawyer-made UK templatesElectronic signatureEffortless signing in secondsDocue DriveSecure, intelligent contract managementEmbedded Legal EngineEmbed templates into your own softwareEmbedded Sign EngineEmbed signing into your own software
Legal Templates
HubSpotSalesforcePipedriveOther systems
Pricing
SearchLog inBook a demo
PlatformEmbed
HomeLegal TemplatesPricingContactAboutNewsReviews
Book a demo

Already have an account? Sign in

  1. Legal Hub
  2. Checklist for ensuring your data processing addendum complies with the UK GDPR
0 % read

Checklist for ensuring your data processing addendum complies with the UK GDPR

Checklist•Last updated 15 Oct 2024
So, you’ve identified a need to put in place a data processing addendum. But what does that data processing addendum actually need to include to comply with data protection laws? Use our handy checklist to make sure that you include all mandatory clauses required by Article 28(3) of the UK GDPR.

1. Details of processing

The data processing addendum must include, as a minimum, the following information about the processing that is taking place by the processor under the arrangement: (i) subject-matter of the processing; (ii) the duration of the processing; (iii) the nature and purpose of the processing; (iv) the type of personal data (e.g. name, address, IP address, health data); and (v) categories of data subjects (e.g. customers, employees).

2. Documented instructions

An obligation must be included on the processor to only process personal data in accordance with the controller’s documented instructions. Those instructions could be set out in the data processing addendum itself, or provided by the controller in writing at a later date.

3. Duty of confidentiality

A clause must be included that ensures that persons authorised to process the personal data under the data processing addendum have committed themselves to binding confidentiality obligations.

4. Security measures

The processor must be required to implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the controller’s personal data. This could include:

  • the pseudonymisation and encryption of the controller’s personal data. Pseudonymisation means techniques that replace, remove or transform information that identifies individuals, and keep that information separate;

  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • the ability to restore the availability and access to the controller’s personal data in a timely manner in the event of a physical or technical incident; and

  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5. Conditions for appointing sub-processors

Where a processor engages another processor (known as a sub-processor) to carry out specific processing activities on behalf of the controller, the same data protection obligations as set out in the data processing addendum between the controller and the processor must be flowed down and imposed on that sub-processor. Find out more about appointing sub-processors with these FAQs.

6. Assisting with data subject rights requests

The processor must assist the controller in responding to any request from a data subject, which could include: (i) recording and referring all requests and communications received from data subjects to the controller within a specified time period; and (ii) not responding to any such requests without the controller’s express written approval, unless and to the extent required by applicable law.

7. Assisting with other controller’s obligations

The processor must also assist the controller with other legal obligations, including notifying the controller if it becomes aware of any personal data breach and assisting the controller with the data breach reporting process.

8. Delete or return personal data on termination

At the choice of the controller, the processor must be required to either delete or return all the personal data to the controller after the end of the provision of services relating to processing.

9. Records and audit

The processor must be required to make available to the controller all information necessary to demonstrate compliance with the obligations set out in the data processing addendum and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

10. Obligation to inform the controller if its instruction infringes DP laws

A clause should be included that requires the processor to notify a controller if an instruction given by the controller infringes data protection laws.

11. Conditions for international transfers

The processor must follow the controller’s instructions with respect to international transfers of personal data, including any restrictions on transferring personal data outside of the UK and EEA.

Final thoughts

Docue’s data protection addendum template includes all of the clauses listed above, plus more optional clauses too. Our data protection addendum template has been drafted by privacy lawyers to help your business be compliant with data protection laws - our lawyer-drafted guidance notes are there to guide you through the process so you can easily create your data processing addendum.

Unsure if you need a data processing addendum? Read our handy guide to when your business needs to use a data protection addendum template to comply with the UK GDPR.

Sign-up now to use Docue's data processing addendum template.

Author
Docue's Legal Team

Tags: data processing addendum, data protection addendum template, data processing addendum.


Related articles

Article•Updated 15 Oct 2024
Everything you need to know about data processing agreements, including the key clauses to include
FAQ•Updated 15 Oct 2024
Top 5 FAQs for employers about data protection compliance

Related legal templates

Data Processing AgreementData Sharing AgreementPrivacy Notice (Website)Data Protection Policy

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Features

  • Custom templates
  • Ready-made legal templates
  • Electronic signature
  • Contract management

Service

  • Pricing
  • Reviews
  • Integrations
  • Legal Hub
  • Support

Company

  • About
  • Contact
  • News
  • Solutions
  • Reviews

Other

  • Log in
  • Data Security
  • Privacy Policy
  • Terms of Use
  • Data Processing Agreement

Support site

Instructions for using the service and answers to frequently asked questions: help.docue.com/en

Customer Service

For business customers: support@docue.com

4.5
(142)
Google LogoReviews on Google
ISO logo

ISO/IEC 27001 certified

© 2026 Docue

•
  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • Youtube
Choose country