The ICO exists to empower you through information.

This guidance discusses contracts and liabilities between controllers and processors in detail. Read it if you have detailed questions not answered in the Guide, or if you need a deeper understanding. DPOs and those with specific data protection responsibilities in larger organisations are likely to find it useful.

If you haven’t yet read contracts in brief in the Guide to Data Protection, you should read that first. It sets out the key points you need to know, along with practical checklists to help you comply.

This guidance will help both controllers and processors to understand what needs to be included in a contract and why. It will also help processors to understand their new responsibilities and liabilities under the UK GDPR.

There are many common issues to discuss about contracts and liabilities. We have structured the guidance so that these are discussed first. After this, the issues specific to controllers and processors are discussed separately. So whether you are one or the other, we recommend that you read the general sections first, and then read the sections specific to you. This will give you a full understanding of the topic.

Please note that this guidance is not a guide to contract law or to the intricacies of commercial contract negotiation. Contracting parties should, if required, seek advice from their own trade or professional organisations, and obtain professional advice on updating existing contracts and agreeing the terms of new contracts. The commercial aspects of the contract are a matter for the parties, so long as it complies with the UK GDPR.


When is a contract needed and why is it important?

What needs to be included in the contract?

Why are contracts between controllers and processors important?

When does the UK GDPR say a contract is needed?

What about other legal acts?

What is the difference between a controller and a processor?

When are processors used?

What are sub-processors and when are they used?

Who should be party to the contract?



What details about the processing must the contract include?

What are the minimum required terms?

Processing only on the controller’s documented instructions

Duty of confidence

Appropriate security measures

Using sub-processors

Data subjects’ rights

Assisting the controller

End-of-contract provisions

Audits and inspections

Can standard contract clauses be used? 

What responsibilities and liabilities do controllers have when using a processor?

What responsibilities and liabilities do processors have in their own right?

What responsibilities does a controller have when using a processor?

What is a controller’s liability when it uses a processor?

How much autonomy does a processor have?

What responsibilities does a processor have in its own right?

Can a processor be held liable for non-compliance?

Who is liable if a sub-processor is used?