getsorted.Check your business
§ Guide

UK GDPR: Data Processor Contracts: does it apply to you?

UK GDPR, Article 28

When this applies

You likely need a Data Processing Agreement with each third-party tool that handles personal data (e.g. Mailchimp, Google Analytics, Stripe, Shopify). Many providers offer a standard DPA, check your account settings or terms.

When it does not apply

If you do not use third-party tools that process personal data on your behalf, this requirement likely does not apply.

What is at stake

Using a processor without a compliant contract is a breach of UK GDPR. Fines up to £17.5M or 4% of global turnover.

What to do

Ensure you have a Data Processing Agreement (DPA) or have accepted the processor's standard DPA terms with each third party that processes personal data on your behalf.

Check all 27 regulations for your business

This is one of 27 checks getsorted runs. Answer around 12 questions and see your full compliance picture in three minutes. Free, no account.

Check your business →

Reviewed: 2026-06-25  ·  Source: official guidance