The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Controller-processor contract requirements

All of your controller-processor contracts cover the terms and clauses necessary to comply with data protection law.

Ways to meet our expectations:

  • The contract or other legal act includes terms or clauses stating that the processor must:
    • only act on the controller’s documented instructions, unless required by law to act without such instructions;
    • ensure that people processing the data are subject to a duty of confidence;
    • help the controller respond to requests from individuals to exercise their rights; and
    • submit to audits and inspections.
  • Contracts include the technical and organisational security measures that the processor must adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).
  • The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.
  • The contract includes clauses to make sure that the processor assists the controller in meeting its GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs. 

Can you answer yes to the following questions?

  • Was the International Organisation for Standardization (ISO) consulted on the appropriateness of security measures detailed within contracts?