- What details about the processing must the contract include?
- What are the minimum required terms?
- Processing only on the controller’s documented instructions
- Duty of confidence
- Appropriate security measures
- Using sub-processors
- Data subjects’ rights
- Assisting the controller
- End-of-contract provisions
- Audits and inspections
- Can standard contract clauses be used?
Article 28(3) states that the contract (or other legal act) must include the following details about the processing:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the controller’s obligations and rights.
The controller therefore needs to be very clear from the outset about the extent of the processing it is contracting out.
Article 28(3) also sets out the following specific terms or clauses that must be included in the contract:
- Processing only on the documented instructions of the controller.
- Duty of confidence.
- Appropriate security measures.
- Using sub-processors.
- Data subjects’ rights.
- Assisting the controller.
- End-of-contract provisions.
- Audits and inspections.
These are the minimum required, but the controller and processor may agree to supplement them with their own terms. Each of these terms is explored further below.
Under Article 28(3)(a) the contract must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.
The contract may include details of the instructions specified in Article 28(3), or those instructions may be provided separately.
An instruction can be documented by using any written form, including email. The instruction must be capable of being saved, so that there is a record of the instruction.
This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.
If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.
Under Article 28(3)(b) the contract must say that the processor must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless that person is already under such a duty by statute.
This contract term should cover the processor’s employees as well as any temporary workers and agency workers who have access to the personal data.
Under Article 28(3)(c) the contract must oblige the processor to take all security measures necessary to meet the requirements of Article 32 on the security of processing.
Both controllers and processors are obliged under Article 32 to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:
- encryption and pseudonymisation;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore access to personal data in the event of an incident; and
- processes for regularly testing and assessing the effectiveness of the measures.
Adherence to an approved code of conduct or certification scheme may be used as a way of demonstrating compliance with security obligations. Codes of conduct and certification may also help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR.
In more detail – ICO guidance
Read our guidance on security under the GDPR for more information.
Under Article 28(3)(d) the contract must say that:
- the processor should not engage another processor (a sub-processor) without the controller’s prior specific or general written authorisation;
- if a sub-processor is employed under the controller’s general written authorisation, the processor should let the controller know of any intended changes and give the controller a chance to object to them;
- if the processor employs a sub-processor, it must put a contract in place imposing the same Article 28(3) data protection obligations on that sub-processor. This should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the GDPR’s requirements. The wording of these obligations do not need to exactly mirror those set out in the contract between the controller and the processor, but should offer an equivalent level of protection for the personal data; and
- the processor is liable to the controller for a sub-processor’s compliance with its data protection obligations.
For more information on the process for appointing sub-processors, please read our guidance on controllers and processors.
Under Article 28(3)(e) the contract must provide for the processor to take “appropriate technical and organisational measures” to help the controller respond to requests from individuals to exercise their rights.
This provision stems from Chapter III of the GDPR, which describes how the controller must enable data subjects to exercise various rights and respond to requests to do so, such as subject access requests, requests for the rectification or erasure of personal data, and objections to processing. For more information, please read our guidance on individuals’ rights.
Under Article 28(3)(f) the contract must say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:
- keep personal data secure;
- notify personal data breaches to the supervisory authority;
- notify personal data breaches to data subjects;
- carry out data protection impact assessments (DPIAs) when required; and
- consult the supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.
We recommend that the contract is as clear as possible about how the processor will help the controller meet its obligations.
Under Article 28(3)(g) the contract must say that at the end of the contract the processor must:
- at the controller’s choice, delete or return to the controller all the personal data it has been processing for it; and
- delete existing copies of the personal data unless EU or Member State law requires it to be stored.
It should be noted that deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32. For more information, please read our guidance on security.
The contract must include these terms to ensure the continuing protection of the personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.
We appreciate the practical reality that it may not be possible for data in backups or archives to be deleted immediately on termination of a contract. Provided appropriate safeguards are in place, such as the data being put immediately beyond use, it may be acceptable that the data is not deleted immediately if the retention period is appropriate and the data is subsequently deleted as soon as possible, eg on the processor’s next deletion/destruction cycle.
In more detail – ICO guidance
Read our guidance on deleting personal data for more information.
Under Article 28(3)(h) the contract must require:
- the processor to provide the controller with all the information that is needed to show that the obligations of Article 28 have been met; and
- the processor to allow for, and contribute to, audits and inspections carried out by the controller, or by an auditor appointed by the controller.
This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting to an audit or inspection.
The GDPR does not require that the contract includes a provision requiring a processor to keep records of the processing it carries out for the controller – although such records would be useful for the processor to demonstrate compliance with Article 28. However, requirements for processors to maintain records of their processing activities are set out in Article 30(2). For more on this, see our guidance on controllers and processors.
The GDPR allows the EU Commission and supervisory authorities (such as the ICO) to issue standard clauses to include in contracts between controllers and processors. These clauses may provide a simple way to ensure that contracts between controllers and processors comply with the GDPR. They may also form part of a certification scheme to demonstrate compliant processing, when the schemes have been approved.
The Danish Data Protection Agency has adopted SCCs which have been approved by the EDPB. If you use these SCCs in a contract with a processor (without amendment) the contract should comply with the requirements in Article 28.