O'Connor Logo
Menu
HomeHow It WorksEngine RoomAbout MeBook a Free Strategy Call

Tools

GEO Score CheckerLanding Page AuditorAI Cannibalisation AuditTechnical AuditorAI Visibility Audit

Data Processing Agreement (DPA)

Version 2.0

Effective Date: 18 May 2026

Business Name (Data Processor):Nathan O'Connor (ICO registration C1919785)

Contact Email: info@nathanoconnor.co.uk

This Data Processing Agreement (“Agreement”) forms part of the contract for services (“Main Agreement”) between the Data Processor and the Data Controller. It outlines the terms under which the Data Processor will process personal data on behalf of the Data Controller in accordance with UK GDPR Article 28 and other applicable data protection laws. The version of this Agreement in force at the time of the Main Agreement applies for the duration of the engagement; material changes will be notified to existing Controllers in writing with a reasonable opportunity to object.

This document is provided as standing infrastructure for client engagements. It has been drafted to meet UK GDPR Article 28(3) but is not a substitute for solicitor-reviewed legal advice. Clients requiring a negotiated DPA or bespoke amendments should contact me directly.

1. Definitions

  • Data Controller: The client who determines the purposes and means of processing personal data.
  • Data Processor: Nathan O'Connor, who processes data on behalf of the Data Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation or set of operations performed on personal data.
  • Sub-processor: A third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
  • Main Agreement: The contract for services between the Data Controller and the Data Processor. This may be the Terms of Service (when this DPA is incorporated by reference into the client relationship) or a separately negotiated engagement letter or statement of work.

2. Subject Matter, Nature, Duration and Purpose

The Data Processor processes Personal Data on behalf of the Data Controller solely for the purpose of delivering the Services agreed in the Main Agreement.

  • Subject matter: configuration, optimisation, and operation of marketing technology, analytics, advertising, and automation systems on behalf of the Data Controller.
  • Nature of processing: collection, storage, retrieval, organisation, analysis, transmission, and (where instructed) deletion of Personal Data using the tools listed in §8 (Sub-processors).
  • Duration: for the duration of the Main Agreement and any post-termination period reasonably required to return or delete data per §12.
  • Purpose: marketing automation, CRM configuration (e.g., Twenty CRM, CallTrackingMetrics), data enrichment and analytics, tracking setup (e.g., GTM, GA4), and reporting and attribution.

3. Types of Personal Data and Categories of Data Subjects

The Personal Data processed under this Agreement may include, depending on the agreed Services:

  • Identifiers and contact data: names, email addresses, telephone numbers, postal addresses, IP addresses.
  • Behavioural data: website interactions, page views, click-stream data, conversion events, advertising click identifiers (e.g., gclid, fbclid).
  • Marketing engagement data: form submissions, marketing preferences, opted-in audiences (where opt-in is gathered by the Data Controller).
  • Where applicable and instructed by the Data Controller, hashed (pseudonymised) email addresses or phone numbers for the purpose of platform-side audience matching (e.g., Google Customer Match).

Categories of Data Subjects:

  • Customers, prospects, leads, and other contacts of the Data Controller
  • Website visitors of properties operated by the Data Controller
  • Recipients of marketing communications sent by the Data Controller

4. Controller's Obligations and Rights

The Data Controller is responsible for:

  • Establishing a lawful basis for processing under UK GDPR Article 6 for all Personal Data shared with the Data Processor
  • Providing transparent privacy notices to Data Subjects
  • Obtaining and managing consents where consent is the lawful basis (including marketing communications and non-essential cookies)
  • Providing the Data Processor with accurate documented instructions
  • Ensuring that any Personal Data shared with the Data Processor has been collected lawfully and is appropriate for the agreed Services

The Data Controller retains all rights of decision-making in respect of Personal Data, including:

  • The right to issue documented instructions
  • The right to inspect and audit the Data Processor's compliance (per §13)
  • The right to object to changes in sub-processors (per §8)
  • The right to require return or deletion of Personal Data (per §12)

5. Instructions and Compliance

  • The Data Processor shall process data only on documented instructions from the Data Controller.
  • The Data Processor shall comply with all applicable data protection laws and regulations.
  • The Data Processor shall not use data for any other purpose without written consent.

6. Confidentiality

The Data Processor shall ensure that all persons authorised to process the personal data are subject to confidentiality obligations.

7. Security

The Data Processor shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, as required by UK GDPR Article 32. These measures include:

  • Encrypted storage and transmission
  • Access control and user authentication
  • Regular security reviews and audits

8. Sub-processors

The Data Controller authorises the use of third-party sub-processors when those tools are required to deliver the agreed Services. A current list of named sub-processors, their function, location, and applicable international transfer mechanisms is maintained at /sub-processors.

Change notification. The Data Processor will notify the Data Controller in writing (typically via email and via the sub-processor page linked above) at least 30 days before engaging any new sub-processor or replacing an existing one. The Data Controller may object to the change within 30 days of notification on reasonable data-protection grounds. If a reasonable objection cannot be resolved, the Data Controller may terminate the affected Services without penalty.

The Data Processor shall ensure that sub-processors are subject to data protection obligations equivalent to those in this Agreement.

9. Data Subject Rights

The Data Processor shall assist the Data Controller in responding to data subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to data portability
  • Right to restrict processing
  • Right to object

10. Breach Notification, DPIAs and Prior Consultation

In the event of a Personal Data breach, the Data Processor shall notify the Data Controller without undue delay (and in any event within 72 hours of becoming aware), and provide all relevant information and assistance to enable the Data Controller to comply with their notification obligations under UK GDPR Articles 33 and 34.

The Data Processor shall also assist the Data Controller, on reasonable request, with:

  • Data Protection Impact Assessments (DPIAs) for processing activities the Data Processor performs on the Controller's behalf (UK GDPR Article 35)
  • Prior consultations with the ICO or other Supervisory Authority where required (UK GDPR Article 36)

11. International Data Transfers

Where the Data Processor or any sub-processor transfers Personal Data outside the United Kingdom, the transfer will be conducted under one of the following safeguards:

  • An Adequacy decision by the UK government
  • The UK International Data Transfer Agreement (UK IDTA)
  • The European Commission's Standard Contractual Clauses (SCCs) with the UK Addendum issued by the ICO
  • Other lawful transfer mechanisms permitted under UK GDPR

The Data Processor will provide the Data Controller with copies of the applicable transfer mechanism for any sub-processor on reasonable request. The current locations of sub-processors and their applicable transfer mechanisms are listed at /sub-processors.

12. Data Retention and Deletion

Upon termination of the Services, the Data Processor shall:

  • Return or delete all Personal Data, at the Data Controller's request
  • Confirm in writing that no data has been retained unless required by law

13. Audit Rights and Demonstrating Compliance

The Data Processor will make available to the Data Controller, on reasonable written request, all information necessary to demonstrate compliance with this Agreement and UK GDPR Article 28.

  • The Data Controller may, with reasonable advance notice (typically 30 days) and during business hours, conduct an audit of the Data Processor's processing activities under this Agreement.
  • Where appropriate, the Data Processor may satisfy audit requests by providing evidence of relevant certifications, third-party audit reports, or written responses to specific compliance questions.
  • Audits must not unreasonably disrupt business operations and must be conducted in a manner that preserves the confidentiality of other Controllers' data.

14. Duration

This Agreement remains in effect for as long as the Data Processor processes personal data on behalf of the Data Controller.

15. Governing Law

This Agreement is governed by the laws of England and Wales.

16. Applicability

This Data Processing Agreement forms the basis of how I handle personal data on behalf of my clients and is incorporated into all client relationships by reference.

If you are a client and require a signed copy of this DPA, or wish to discuss negotiated terms, please contact me at info@nathanoconnor.co.uk.