A Practical Guide to Controller-Processor Contracts

The General Data Protection Regulation (GDPR) obliges Controllers and Processors to enter into a legally binding contract governing the processing of personal data when a controller engages a processor to process personal data on its behalf (a 'data processing contract').

When engaging a processor, the GDPR stipulates that controllers are obliged to use only processors which provide sufficient guarantees to implement appropriate technical and organisational measures to comply with GDPR and to protect data subject rights. There are also a number of other obligations which the GDPR imposes directly on controllers and processors in addition to any contractual obligations which they may be subject to under a data processing contract (for example, record-keeping obligations, ensuring the security of data processing etc.).

The GDPR has increased the number of provisions which must be included in a data processing contract. Article 28(3) GDPR prescribes the provisions which, at a minimum, must be included in a data processing contract. These are as follows:

  • The subject matter, duration, nature and purpose of the data processing;
  • The type of personal data being processed;
  • The categories of data subjects whose personal data is being processed; and
  • The obligations and rights of the controller.

A more detailed list of mandatory provisions is included in our guidance note.

There are a number of other non-mandatory provisions which controllers and processors may wish to include in a data processing contract. Such provisions may include but are not limited to:

  • Liability provisions (including indemnities);
  • Detailed (technical) security provisions; and/or
  • Additional cooperation provisions between the controller and processor.

Please see our Practical Guide to Controller-Processor Contracts (pdf) for more information.