Contract Between Data Controller and Data Processor GDPR (A250)

£29.50 plus VAT
Buy Excluding 0% tax

Who can use this Data Processor Appointment?

This Data Processor Agreement is for use by a company or organisation that wants to appoint an outsider as data processor.

What is this contract for?

This data processor appointment is for use by an organisation which wants support in handling/processing personal data.  Under the Data Protection Act 2018 and the European GDPR, there are numerous obligations on organisations with regard to data protection and outsourcing to a suitable company can be useful.

Written from the data controller’s perspective, the Data Processor Agreement comprises a one-page Form of Agreement, Terms and Conditions, plus Schedules to be completed detailing the Services, Fees, and Insurance.

ContractStore has other relevant documents dealing with GDPR  and data protection

What are the main issues?

The legal duties of a data processor are spelt out in some detail in the legislation and a Data Processor Appointment should reflect these duties in its wording.  So the agreement will refer in various places to the GDPR and/or Data Protection Act.

Scope of services.  The agreement needs to clearly define the scope of the data processor’s role and the client will want to reserve the right review and inspect the services stop

Variations probably need to be covered as these can affect the data processor’s role as well as the fee arrangements.

There can be serious penalties as well as potential claims form individuals for a company which has a data breach. So the agreement needs to have clear wording under which the processor is going to be responsible for ensuring there is no infringement of the law and to make good the company’s losses if the processor is responsible for a data breach. This is likely to involve insurance claims and therefore the agreement needs a clause requiring the data processor to maintain adequate professional indemnity insurance.

What detailed terms does the contract contain?

The Terms and Conditions contain 18 clauses covering:

  • definitions
  • scope of contract
  • data processor’s obligations
  • programme
  • personnel
  • variations
  • review and inspections
  • price and payment
  • warranties
  • termination
  • intellectual property
  • indemnity, liability and insurance
  • confidentiality
  • assignment and subcontracting
  • disputes and governing law
  • notices
  • general clause

For more information on each of these sections, see our Explanatory Notes below which you will also receive when you download the document from our website.

For information on signing documents see our Contract Signing page

When I download the document, can I change it and/or use it more than once?

Yes, all ContractStore’s templates are in MS Word and you can use the contract on more than one project. For more information, watch the video on this page of our website or see our FAQs

Legal support

ContractStore supplies templates and is not a law firm.  But experienced lawyers write all our templates, so we can arrange legal assistance for customers who need special terms in one of our documents or a bespoke template. . For more information see our Legal Services page.  For more information see our Legal Services page.

Contract Author –   Giles Dixon / Sharon Benning-Prince

And if you want to contact us see our Contacts page.

Read more about GDPR on our blog or sign up for information alerts and guidance here.

You may also find these contracts of use:

Free Download

Use this free GDPR Data Collection form to begin compiling the information you need to comply with the General Data Protection Regulations.

£19.50 Plus VAT

This Data Protection  Policy is for internal use by a business that sells goods and/or services and has a website from which sales can be made and/or on which personal data can be collected.   It…

Add to cart Excluding 0% tax

£8.50 Plus VAT

This Privacy Notice template - previously known as a Privacy Policy - is for use on a website where the website owner collects data on visitors or customers. It meets the basic requirements of the…

Add to cart Excluding 0% tax

Explanatory Notes

This Data Processor Appointment services agreement is designed for use by a company that is controller of a lot of personnel data and wants to appoint another company to process that data on its behalf, obtain services from another business – referred to in the agreement as the . It is designed to reflect the requirements of the EU’s GDPR (General Data Protection Regulation) that is in effect in the UK and throughout the EU from 25 May 2018.

The contract is in three parts – first, a one page Form of Agreement that is signed by both parties, second, Terms & Conditions and, third, Schedules which are left blank and need to be filled in specifying the services, the programme and the fee arrangements. The Terms & Conditions are written from the Company’s point of view and, while fair, are designed to protect the Company rather than the Processor.


This identifies the contractual parties, the commencement date and completion date (if relevant) and states that the contract between the Company and the Processor comprises the Form of Agreement, attached Terms & Conditions and completed schedules.



This contains a few defined terms used in the contract.


This briefly sets out the basic arrangement between the Company and the Processor who will carry out the services and the Company will pay the agreed fees for those services.


This clause contains some general obligations as well as detailed obligations in clause 3.2 that are required by the GDPR and the ICO in the UK.


If there is a programme for any of the services, e.g. in getting personal data on Processor’s system, this clause will be relevant and the programme will be in Schedule 1 of the Agreement.


This makes it clear that the Processor’s personnel should be suitably qualified and subject to confidentiality obligations. The clause also provides for a representative to be identified as the Processor’s main point of contact with the Company.


This sets out the procedure for changing the scope of the services – and deals with the price and time implications of a variation. The clause makes it clear that an estimate of the likely cost has to be provided by the Processor and the Company can then consider whether or not to go ahead with the extra services.


The company has the right to review and approve any services. Also, any errors or defects have to be corrected by the Processor at its own expense. The Company has the option to withhold payment pending correction as well as the right to get the work done by someone else.

In addition, the Company has the right to visit the Processor and inspect its systems and security. The possibility of an inspection by GDPR supervisory authorities is also referred to in this clause.


This clause refers to Schedule 2 where the contract price and fee arrangements are to be set out. The wording of the clause goes on to state that invoices must be accompanied by relevant supporting documents and specifies a payment date – our document says 28 days from receipt of invoice. The Company is allowed to withhold money if it has reason to do so, but it is required to give notice with reasons to the Processor.

Late payment will entitle the Processor to interest. Our clause proposes an interest rate of 3% above Base Rate. In the UK, if the contract does not specify an interest rate, the law allows an unpaid party to a contract to claim a high rate – 8 per cent above Base Rate under the Late Payment of Commercial Debts (Interest) Act. So, from the Company’s point of view it is better to specify the rate.


Here the Processor warrants – i.e. guarantees – to the Company that it will implement appropriate measures to meet GDPR standards as well as exercise a high degree of skill and care.


The Company has the right to terminate for convenience at any time on giving 30 days’ notice. It can also terminate if the Processor fails to perform. The Processor can terminate for non-payment and either party can terminate if the other becomes insolvent. The clause also deals with the consequences of termination.


Especially when the Processor has access to Company software and other intellectual property, it is sensible to have wording designed to protect the Company’s intellectual property rights and this is the purpose of our wording. Similarly, the Processor retains ownership of its own IP.


Here, the Processor gives an indemnity to the Company – i.e. agrees to make good all loss suffered by the Company – due to negligence on the part of the or its personnel that cause death or injury or damage to property. In addition, the Processor gives an indemnity with respect to intellectual property rights.

Liability for GDPR breaches is also covered, including the possibility of penalties that might be imposed under various articles of the GDPR
A data processor would usually have public liability insurance to cover against injury or death or damage to third party property. They may also have professional indemnity insurance to protect them against negligence claims.

The contract does not contain any limit on the potential liability of the Processor, nor is there a clause excluding liability for loss of profits or consequential losses. This is sometimes requested and it can be sensible to agree – if only because most companies would not have the resources to meet a really large claim. But in such a case, insurance is important.

Our clause deals briefly with the insurance issues by reference to Schedule 3, which is, in effect, optional depending on the circumstances.


This imposes strict confidentiality obligations on the Processor. In addition, any publicity concerning the contract (e.g. if the wants to refer to it in his brochures) has to be approved in advance by the Company.


Consent is required before the Processor can assign or sublet any of his rights or obligations to a third party.


Our contract provides for a three-stage process for dealing with any dispute that arises – direct negotiation, mediation and then the courts. Our form says English law will apply, but this can be changed as appropriate. We have free information on our website that deals with these issues: Z139 and Z140.


This is a fairly standard clause dealing with notices given under the Agreement.


This clause contains what are known to lawyers as ‘boiler plate’ provisions.


These are largely left blank, except for some headings, and they should be filled in before the contract is signed. In the Payment schedule, some illustrative wording is shown in italics as there are various possibilities and we have shown two – a fixed fee, with a schedule of payments (probably linked to activities) and an estimated fee, with charges calculated by reference to daily or hourly rates (in which case an overall cap may be sensible).

It is sensible to have agreed rates for extra services agreed at the time the contract is signed as well as agreement on what expenses are chargeable in addition to fees and our schedule allows for these.