The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


You have appropriate procedures in place regarding the work that processors do on your behalf.

Ways to meet our expectations:

  • You have written contracts with all processors.
  • If using a processor, you assess the risk to data subjects and make sure to effectively mitigate these risks.
  • An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
  • Each contract (or other legal act) sets out details of the processing, including the:
    • subject matter of the processing;
    • duration of the processing;
    • nature and purpose of the processing;
    • type of personal data involved;
    • categories of data subject; and
    • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
  • You keep a record or log of all current processor contracts, which you update when processors change.
  • You review contracts periodically to make sure they remain up to date.
  • If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.

Can you answer yes to the following questions?

  • Are staff aware of the need for a written contract when using a processor?
  • How do they make sure the contracts are kept up to date?
  • Are the risks of using a processor mitigated effectively?
  • Do you have an appropriate approval process for contracts?
  • Is it easy for staff to find existing contracts where appropriate?