1. What is a Data Processing Agreement (DPA) in the UK?

A Data Processing Agreement is a legally binding contract required under Article 28 UK GDPR when a data controller uses a data processor.

Core purpose:

It ensures that personal data is:

• Processed only on documented instructions
• Protected with appropriate technical and organisational security
• Not used for the processor’s own purposes
• Returned or deleted after processing ends

2. When is a DPA required?

A DPA is mandatory when:

• A platform (controller) uses cloud providers, analytics tools, payment processors, or marketing services
• A software-as-a-service (SaaS) provider processes customer/user data on behalf of businesses
• Any outsourcing of personal data processing occurs

3. Key legal requirements under UK GDPR (Article 28)

A valid DPA must include:

(a) Instructions & scope

Processor must act only on documented instructions.

(b) Confidentiality

Personnel must be under strict confidentiality obligations.

(c) Security

Appropriate technical and organisational measures (encryption, access control, etc.).

(d) Sub-processors

Must require authorisation before engaging third parties.

(e) Data subject rights support

Processor must assist controller in responding to rights requests.

(f) Data return/deletion

At end of contract, data must be deleted or returned.

4. DPAs in Platform Context (Important Concept)

For platforms (e.g., social media or cloud services), classification matters:

• Controller: decides purpose and means of processing
• Processor: processes data only on behalf of controller
• Joint controllers: both decide purposes jointly

Courts often struggle with whether platforms are truly “processors” or actually “controllers,” which significantly impacts liability.

5. Key Case Laws (UK and UK-relevant)

1. WM Morrison Supermarkets plc v Various Claimants [2020 UKSC 12]

Key issue:

Employer liability for employee data leak.

Holding:

• Morrisons was not vicariously liable for rogue employee’s data leak
• However, UK Supreme Court confirmed principles of data protection liability still apply strictly to organisations

Importance for DPAs:

• Even if outsourcing exists, organisations must ensure strict controls over processors
• Internal governance is critical beyond contractual DPAs

2. Google LLC v Lloyd [2021 UKSC 50]

Key issue:

Whether individuals can claim compensation for “loss of control” of data.

Holding:

• Supreme Court rejected automatic compensation claims
• Claimants must prove material damage or distress

Importance:

• Reinforces that platform liability under UK GDPR requires demonstrable harm
• DPAs alone do not eliminate platform accountability

3. Vidal-Hall v Google Inc [2015 EWCA Civ 311]

Key issue:

Tracking cookies and misuse of private information.

Holding:

• Court confirmed misuse of private information is a tort
• Damages can be awarded for distress alone (no financial loss needed)

Importance:

• Strengthens user rights against platforms
• Highlights need for DPAs ensuring lawful tracking practices

4. NT1 & NT2 v Google LLC (High Court, 2018)

Key issue:

Right to be forgotten vs search engine indexing.

Holding:

• NT2 succeeded in having search results delisted
• NT1 failed due to public interest

Importance:

• Platforms may act as data controllers when indexing/searching
• DPAs cannot fully shield platforms from direct GDPR obligations

5. Google Spain SL v AEPD (CJEU, 2014)

Key issue:

Search engine responsibility for personal data.

Holding:

• Search engines are data controllers
• Established “right to be forgotten”

Importance:

• Influenced UK GDPR interpretation
• Shows that platforms cannot always rely on being “processors”

6. Barbulescu v Romania (ECHR, 2017)

Key issue:

Monitoring of employee communications.

Holding:

• Employer monitoring must respect privacy rights under Article 8 ECHR

Importance:

• Impacts DPAs involving workplace platforms and SaaS tools
• Requires proportionality in data processing agreements

7. WM Morrison-related parallel principle (Various Claimants litigation background)

Although part of Morrison litigation, courts consistently reinforced:

• Organisations remain responsible for data security even when outsourced
• DPAs must include strong monitoring and audit rights

6. Key Legal Principles Derived from Case Law

From the above cases, UK courts consistently emphasize:

(1) Control determines liability

If a platform decides how data is used → it is likely a controller, not a processor.

(2) DPAs do not remove statutory liability

Contractual agreements cannot override UK GDPR obligations.

(3) Security failures create direct liability

Even if a processor causes breach, controllers may still be liable.

(4) Harm requirement is strict in compensation claims

As seen in Lloyd v Google, not all breaches lead to damages.

(5) Human rights influence data protection law

ECHR Article 8 privacy principles shape UK interpretation.

7. Practical Implications for Platforms in the UK

Platforms (especially SaaS, fintech, and social media) must ensure DPAs include:

• Clear role allocation (controller vs processor)
• Audit and compliance rights
• Breach notification timelines (usually 72 hours aligned with UK GDPR)
• Sub-processor transparency
• Cross-border transfer safeguards (UK IDTA or SCCs)

Conclusion

In the UK, Data Processing Agreements are not just administrative contracts—they are legal risk allocation tools shaped heavily by case law. Courts consistently look beyond contractual wording to determine real-world control, responsibility, and accountability.