Skip to content
Compliance guide8 min read

Data Processing Agreements with Suppliers: A UK GDPR Guide for Procurement Teams (2026)

When a supplier needs a DPA, what UK GDPR Article 28 actually requires the contract to contain, how international transfers work, and how to keep hundreds of supplier DPAs current without losing track.

Somewhere in your supplier base, right now, there is almost certainly a supplier processing personal data on your behalf without a compliant contract in place. A payroll bureau, an IT support provider with admin access, a marketing agency holding your customer list, a courier with delivery names and addresses. Under UK GDPR, each of those relationships legally requires a written Data Processing Agreement, and the absence of one is a breach by both parties before anything has even gone wrong.

This guide explains, in procurement terms rather than legal ones, when a DPA is required, what the law says it must contain, what changes when data leaves the UK, and how to manage the resulting pile of documents across a real supplier base. One caveat up front: this is general information for procurement and operations teams, not legal advice. For contract drafting and edge cases, involve your legal adviser.

What Is a DPA and When Do You Need One?

A Data Processing Agreement (the ICO calls it a controller to processor contract) is the written contract that UK GDPR Article 28 requires whenever a processor handles personal data on a controller's behalf. "Written" includes electronic form, and the required terms are frequently included as a schedule to a master services agreement rather than a separate document. What matters is that the mandatory content exists in a binding contract, not what the document is called.

The trigger is simple to state: you need a DPA whenever a supplier processes personal data on your instructions, for your purposes. "Processing" is deliberately broad, covering storage, access, transmission and even deletion. Common supplier relationships that need a DPA include:

  • Payroll, pensions and HR service providers
  • IT support, hosting and SaaS providers whose staff or systems can access personal data you control
  • Marketing agencies and email platforms holding contact lists
  • Couriers and fulfilment providers processing delivery details
  • Outsourced customer service, call centres and survey providers
  • Document destruction and archiving services

The stakes are not theoretical. The UK GDPR's higher maximum penalty is £17.5 million or 4 percent of annual worldwide turnover, whichever is higher, and the contract requirement applies to the controller as much as to the processor: engaging a processor without an Article 28 contract is itself an infringement.

Controller or Processor?

Not every supplier that touches personal data is your processor, and getting this classification right determines whether a DPA is the correct instrument at all. A processor acts on your documented instructions, for your purposes. A controller decides its own purposes and means of processing.

An accountancy firm preparing your statutory accounts, a law firm advising you, or an occupational health provider making its own professional judgements will usually be an independent controller for the data it handles, because professional obligations require it to exercise its own judgement. Those relationships need appropriate data sharing terms, but not an Article 28 processor contract. A hosting provider storing your CRM database, by contrast, is a classic processor. When the classification is genuinely unclear, the ICO's guidance on controllers and processors is the reference point, and the answer shapes everything downstream: liability, breach notification duties and what your contract must say.

What UK GDPR Article 28 Requires the Contract to Contain

Article 28(3) is unusually prescriptive: it lists the terms the contract must include. Use this as a review checklist when a supplier sends over their standard DPA, because the gaps are usually in the same places.

  • Processing details: the subject matter and duration of the processing, its nature and purpose, the types of personal data, and the categories of data subjects.
  • Documented instructions only: the processor may process the data only on your documented instructions, including for international transfers.
  • Confidentiality: persons authorised to process the data are committed to confidentiality.
  • Security measures: the processor takes the technical and organisational measures required by Article 32 (encryption, resilience, testing and the rest, as appropriate to the risk).
  • Sub-processor rules: no sub-processor without your prior authorisation (specific or general), and the same obligations flow down to every sub-processor.
  • Data subject rights assistance: the processor helps you respond to access, erasure and other data subject requests.
  • Breach and compliance assistance: the processor assists with your security, breach notification and impact assessment obligations. Processors must notify the controller of a personal data breach without undue delay, and you may only have 72 hours to assess and notify the ICO where required.
  • End of contract: the processor deletes or returns the personal data at the end of the engagement, at your choice, and deletes remaining copies unless law requires retention.
  • Audit rights: the processor makes available the information needed to demonstrate compliance and allows for audits and inspections.

International Transfers: When Data Leaves the UK

If your supplier, or any of its sub-processors, processes the data outside the UK, the DPA alone is not enough. A restricted transfer needs a lawful transfer mechanism. For countries covered by UK adequacy regulations, no further safeguard is required. For everywhere else, the standard tools are the ICO's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, both in force since March 2022, usually accompanied by a transfer risk assessment.

For procurement, the practical questions to put to any supplier are: where is the data hosted, where is it accessed from (support teams count), which sub-processors are involved and where are they, and which transfer mechanism covers each leg. A supplier who cannot answer those four questions quickly is telling you something about their data protection maturity.

Common Mistakes

  • No DPA at all. Usually not defiance, just drift: the supplier was onboarded years ago, the relationship evolved, and nobody noticed the data processing dimension. This is why data processing should be a standard question in supplier onboarding, covered in our supplier onboarding checklist.
  • Signed once, never reviewed. Processing changes: new sub-processors, new hosting regions, new data categories. A DPA describing the 2021 version of the service gives 2021 protection.
  • Nobody can find the signed copy. When the ICO, a customer auditor or an incident response demands the DPA, an unsigned template in a shared drive is what too many teams actually find.
  • Sub-processors unexamined.Your supplier's DPA is only as good as its flow-down. If they use general authorisation, you should be receiving notice of sub-processor changes and have the right to object.
  • Ignoring transfers hidden in support arrangements.Data "hosted in the UK" but administered by a support team elsewhere is still being transferred.

Managing DPAs at Scale: How Supplio Helps

The legal content of a DPA is a matter for your templates and advisers. The operational problem, knowing which suppliers need one, holding the signed copies, and noticing when they go stale, is a supplier management problem, and it is exactly what Supplio is built for.

DPAs live against the supplier record alongside insurance, certifications and policies, with version history and review dates, so the current signed copy is retrievable in seconds rather than excavated from inboxes. Onboarding workflows make the data processing question and the DPA upload a standard step for relevant supplier categories, and suppliers submit documents themselves through the supplier portal. Automated reminders trigger when a review date approaches, and the immutable audit log records every submission and approval, which is precisely the evidence trail an ICO enquiry or customer audit asks for. See the supplier compliance overview and full feature set for detail.

Sources and Further Reading

Next step

Know exactly which suppliers hold your data

We'll show you how Supplio tracks DPAs, sub-processor disclosures and review dates across a real supplier base, with reminders that fire before documents go stale.