Data Processing Agreement (DPA)
Contract schedule specifying how a data processor (typically supplier) will handle personal data on behalf of the data controller.
Definition
A Data Processing Agreement (DPA) is a contract schedule specifying how a data processor (typically the supplier) will handle personal data on behalf of the data controller (typically the contracting authority). DPAs are mandatory under UK GDPR Article 28 for contracts involving personal data processing. The DPA defines the scope and purpose of processing, types and categories of personal data, data subject categories, security measures, sub-processor controls, data subject rights handling, breach notification, and audit rights.
How it works in practice
The DPA is typically a contract schedule rather than a standalone document. Most public sector buyers use a standard DPA template adapted to the specific contract. Key DPA provisions include: scope and purpose (specifically what processing is in scope), types of personal data (categories, special category data flags), data subject categories (who the data subjects are), retention periods (how long data will be retained after contract end), security measures (technical and organisational controls required), sub-processor controls (whether sub-processors are permitted, what notice is required, what contracts must flow down), data subject rights (how the supplier supports access, rectification, erasure requests), breach notification (timing and content of breach notifications to the controller), audit rights (controller rights to inspect supplier processing), and end-of-contract data handling (return or destruction of personal data). Mature public sector buyers test compliance during contract management: periodic audit of DPA implementation, structured incident review for any personal data breach, and documented end-of-contract data return or destruction. Suppliers should treat the DPA as live contract obligation; underperformance on DPA terms creates regulatory exposure under UK GDPR and contractual exposure under the prime contract.
Common questions
Do all public sector contracts need a DPA?
For contracts involving personal data processing, yes, under UK GDPR Article 28. For contracts not involving personal data (commodity goods, generic services with no personal data exposure) a DPA may not be required, though many public sector buyers include a baseline DPA template defensively.
Can I negotiate the DPA terms?
Material variation from standard public sector DPAs is typically not accepted in open or restricted procurement procedures. Some specific operational provisions (incident notification timing, audit logistics) may be adjusted where they conflict with supplier operational practice. Substantive variation requires the authority to consider procurement law implications.
What happens at end of contract?
The DPA specifies the end-of-contract data handling: typically return of all personal data to the controller and destruction of supplier-held copies, with confirmation in writing. Specific buyer requirements vary; some require certified destruction with witnessed audit trail, others accept supplier self-certification.