Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Contract

by Adam Brogden
in Blog

18-Nov-2019 11:57

If you use any sort of data processor you need to have a GDPR compliant contract in place. This is to protect you, the processor, and most importantly the data subjects. The contract must include certain clauses and must clearly define the responsibilities of all parties. Your Optindigo policy pack includes a useful template for this and are always happy to help review / create contracts for you. The ICO website provides a very useful checklist. Call us anytime for help or take a look at the following to see what you need to include.

Good luck all!


Whenever a controller uses a processor, there must be a written contract (or other legal act) in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

If a processor uses another organisation (ie a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.


What to include in the contract

The contract (or other legal act) sets out details of the processing including:

  • the subject matter of the processing;

  • the duration of the processing;

  • the nature and purpose of the processing;

  • the type of personal data involved;

  • the categories of data subject;

  • the controller’s obligations and rights.

The contract or other legal act includes terms or clauses stating that:

  • the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions;

  • the processor must ensure that people processing the data are subject to a duty of confidence;

  • the processor must take appropriate measures to ensure the security of processing;

  • the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;

  • the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;

  • taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

  • the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and

  • the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

Hope this helps.

Good luck all.