This guidance discusses controllers and processors in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read controllers and processors in brief in the Guide to Data Protection, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

This guidance will help you decide whether you are acting as a controller, processor or joint controller when processing personal data. We know this exercise can be difficult, so we have included examples to help you. The guidance also explains the roles and responsibilities of each, and outlines the governance issues that are relevant to them.

Contents

What’s new under the GDPR?

When is a contract needed and why is it important?

Is this a big change?

What are the key changes to make in practice?

 

What needs to be included in the contract?

What details about the processing must the contract include?

What are the minimum required terms?

Processing only on the controller’s documented instructions

Duty of confidence

Appropriate security measures

Using sub-processors

Data subjects’ rights

Assisting the controller

End-of-contract provisions

Audits and inspections

Can standard contract clauses be used? 

Why are contracts between controllers and processors important?

When does the GDPR say a contract is needed?

What about other legal acts?

What is the difference between a controller and a processor?

When are processors used?

What are sub-processors and when are they used?

Who should be party to the contract?

 

What responsibilities and liabilities do controllers have when using a processor?

What responsibilities does a controller have when using a processor?

What is a controller’s liability when it uses a processor?

 

What responsibilities and liabilities do processors have in their own right?

How much autonomy does a processor have?

What responsibilities does a processor have in its own right?

Can a processor be held liable for non-compliance?

Who is liable if a sub-processor is used?