At a glance

  • Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.
  • The contract is important so that both parties understand their responsibilities and liabilities.
  • The GDPR sets out what needs to be included in the contract.
  • If a processor uses another organisation (ie a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.

Checklists

What to include in the contract

The contract (or other legal act) sets out details of the processing including:

 the subject matter of the processing;

 the duration of the processing;

 the nature and purpose of the processing;

 the type of personal data involved;

 the categories of data subject;

 the controller’s obligations and rights.

The contract or other legal act includes terms or clauses stating that:

 the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions;

 the processor must ensure that people processing the data are subject to a duty of confidence;

 the processor must take appropriate measures to ensure the security of processing;

 the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;

 the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;

 taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

 the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and

 the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

In brief

What’s new under the GDPR?

The GDPR makes written contracts between controllers and processors a requirement, rather than just a way of demonstrating compliance with the seventh data protection principle (appropriate security measures) under the Data Protection Act 1998.

These contracts must now include specific minimum terms. These terms are designed to ensure that processing carried out by a processor meets all the GDPR requirements, not just those related to keeping personal data secure.

When is a contract needed and why is it important?

Whenever a controller uses a processor to process personal data on their behalf, a written contract needs to be in place between the parties.

Similarly, if a processor uses another organisation (ie a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.

Contracts between controllers and processors ensure they both understand their obligations, responsibilities and liabilities. Contracts also help them comply with the GDPR, and assist controllers in demonstrating to individuals and regulators their compliance as required by the accountability principle.

What needs to be included in the contract?

Contracts must set out:

  • the subject matter and duration of the processing;
  • the nature and purpose of the processing;
  • the type of personal data and categories of data subject; and
  • the controller’s obligations and rights.

Contracts must also include specific terms or clauses regarding:

  • processing only on the controller’s documented instructions;
  • the duty of confidence;
  • appropriate security measures;
  • using sub-processors;
  • data subjects’ rights;
  • assisting the controller;
  • end-of-contract provisions; and
  • audits and inspections.

What responsibilities and liabilities do controllers have when using a processor?

Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet GDPR requirements and protect data subjects’ rights.

Controllers are primarily responsible for overall compliance with the GDPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

What responsibilities and liabilities do processors have in their own right?

In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage.

In more detail – ICO guidance

We have produced more detailed guidance on contracts and liabilities between controllers and processors.