Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Controllers And Contracts

by Adam Brogden
in Blog

20-Sep-2019 12:49

Take a look at this interesting article from the ICO - Controllers need to have appropriate contracts in place when they use processors. This probably means you!


Whenever a controller uses a processor, there must be a written contract or other legal act in place. This makes sure that both parties understand their responsibilities and liabilities. The GDPR sets out what needs to be included in the contract:

The contract (or other legal act) sets out details of the processing including:

  1. the subject matter of the processing;

  2. the duration of the processing;

  3. the nature and purpose of the processing;

  4. the type of personal data involved;

  5. the categories of data subject;

  6. the controller’s obligations and rights.

The contract or other legal act includes terms or clauses stating that:

  1. the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions;

  2. the processor must ensure that people processing the data are subject to a duty of confidence;

  3. the processor must take appropriate measures to ensure the security of processing;

  4. the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;

  5. the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;

  6. taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

  7. the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and

  8. the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.


This requirement is fundamental to GDPR and you really should make sure you have appropriate contracts in place. If you have any questions please call us - we have standard contract documents available.

Good luck all.