Ƶ

Book a demo

Dpa Addendum Template for England and Wales

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Dpa Addendum?

The DPA Addendum is essential when one organization processes personal data on behalf of another under UK law. It's typically attached to a main service agreement to ensure GDPR and Data Protection Act 2018 compliance. This document becomes necessary when the main agreement doesn't adequately address data protection requirements or when changes in data protection laws necessitate additional terms. The DPA Addendum includes specific provisions for data security, breach notification, sub-processing, and international transfers, making it crucial for organizations handling personal data in the UK.

Frequently Asked Questions

Is a DPA Addendum legally binding under England and Wales law?

Yes, a DPA Addendum is legally binding in England and Wales when properly executed between parties. It forms part of your contractual obligations under UK GDPR and the Data Protection Act 2018, creating enforceable duties for both data controllers and processors in how they handle personal data.

Can I be fined by the ICO if my DPA Addendum is missing or incomplete?

Yes, the ICO can impose significant fines for non-compliance with UK GDPR requirements, including inadequate contractual arrangements between controllers and processors. Missing or incomplete DPA Addendums may result in penalties up to £17.5 million or 4% of annual global turnover, whichever is higher.

How does a DPA Addendum differ from a privacy policy under UK law?

A DPA Addendum is a contractual agreement between businesses that defines data processing relationships, while a privacy policy is a public notice explaining to individuals how their personal data is used. The addendum governs B2B data handling obligations under UK GDPR, whereas privacy policies fulfill transparency requirements toward data subjects.

How long does it typically take to finalize a DPA Addendum in the UK?

For standard arrangements using template forms, a DPA Addendum can be completed within 1-2 weeks. Complex processing relationships involving sensitive data, international transfers, or multiple sub-processors may require 4-6 weeks for proper negotiation and legal review to ensure UK GDPR compliance.

Which party is responsible for creating the DPA Addendum under UK data protection law?

The data controller is typically responsible for initiating the DPA Addendum, as they have primary accountability under UK GDPR for ensuring lawful processing arrangements. However, processors often propose their own standard addendum terms, and both parties must agree to the final contractual provisions governing their data processing relationship.

Can I process personal data without a DPA Addendum in England and Wales?

No, UK GDPR Article 28 requires written contracts between controllers and processors before any personal data processing begins. Processing without a proper DPA Addendum constitutes a breach of UK data protection law and may result in ICO enforcement action, including monetary penalties and processing restrictions.

Why do businesses commonly fail to include international transfer provisions in DPA Addendums?

Many businesses overlook that UK GDPR requires specific safeguards for transfers outside the UK, even to EU countries post-Brexit. This oversight leaves organizations non-compliant when processors use overseas sub-processors or cloud services, potentially exposing them to ICO sanctions and rendering data transfers unlawful.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

England and Wales

Reviewed by

&

Publisher

GenieAI

Category

Data Processing Agreement

Sector

Business

Cost

Free to use

Last updated

About the Dpa Addendum

When your organization processes personal data on behalf of another entity, you need a robust legal framework that satisfies UK data protection requirements. A DPA Addendum serves as the cornerstone document that transforms your business relationship into a compliant data processing arrangement under England and Wales law.

When do you need this document?

You require a DPA Addendum whenever your organization acts as a data processor for another company's personal data. This includes cloud service providers handling customer databases, marketing agencies processing client contact lists, payroll companies managing employee information, or IT support firms accessing business systems containing personal data. The document becomes essential when your main service agreement lacks comprehensive data protection clauses or when you need to update existing arrangements following regulatory changes. Additionally, you'll need this addendum when establishing new data processing relationships, expanding existing services to include personal data handling, or when audit requirements demand formal documentation of your data protection responsibilities.

Key legal considerations

Your DPA Addendum must clearly define the scope and purpose of data processing, ensuring you only process personal data according to documented instructions from the controller. The document should establish robust security measures appropriate to the risk level, including technical and organizational safeguards that protect against unauthorized access, alteration, or destruction. You need specific provisions covering data breach notification procedures, requiring you to notify the controller without undue delay upon discovering any security incidents. The addendum must address sub-processor arrangements, detailing your obligations when engaging third parties and ensuring they meet the same data protection standards. International data transfer provisions are crucial, particularly when processing involves countries outside the UK, requiring appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

Legal requirements in England and Wales

Under England and Wales law, your DPA Addendum must comply with UK GDPR and the Data Protection Act 2018, which impose specific processor obligations including maintaining processing records, implementing data protection by design principles, and supporting the controller's compliance with data subject rights. The document must address the controller's right to audit your processing activities and require you to assist with data protection impact assessments when necessary. You need provisions covering data retention and deletion, ensuring personal data is only kept as long as necessary for the specified purposes. The addendum should incorporate Privacy and Electronic Communications Regulations (PECR) requirements when processing involves electronic communications or marketing activities. Additionally, you must include termination clauses that specify your obligations regarding data return or destruction when the processing relationship ends, ensuring no unauthorized retention of personal data occurs.

GOVERNING LAW

Applicable law

This Dpa Addendum is drafted to comply with England and Wales law. Key legislation includes:

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it