UK GDPR: Data Processor Contracts: does it apply to you?
UK GDPR, Article 28
When this applies
You likely need a Data Processing Agreement with each third-party tool that handles personal data (e.g. Mailchimp, Google Analytics, Stripe, Shopify). Many providers offer a standard DPA, check your account settings or terms.
When it does not apply
If you do not use third-party tools that process personal data on your behalf, this requirement likely does not apply.
What is at stake
Using a processor without a compliant contract is a breach of UK GDPR. Fines up to £17.5M or 4% of global turnover.
What to do
Ensure you have a Data Processing Agreement (DPA) or have accepted the processor's standard DPA terms with each third party that processes personal data on your behalf.
Check all 27 regulations for your business
This is one of 27 checks getsorted runs. Answer around 12 questions and see your full compliance picture in three minutes. Free, no account.
Check your business →Reviewed: 2026-06-25 · Source: official guidance