Contracts

19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.

At a glance

Checklists

What to include in the contract

The contract (or other legal act) sets out details of the processing including:

☐ the subject matter of the processing;

☐ the duration of the processing;

☐ the nature and purpose of the processing;

☐ the type of personal data involved;

☐ the categories of data subject;

☐ the controller’s obligations and rights.

The contract or other legal act includes terms or clauses stating that:

☐ the processor must only act on the controller’s documented instructions, unless required by law to act without such instructions;

☐ the processor must ensure that people processing the data are subject to a duty of confidence;

☐ the processor must take appropriate measures to ensure the security of processing;

☐ the processor must only engage a sub-processor with the controller’s prior authorisation and under a written contract;

☐ the processor must take appropriate measures to help the controller respond to requests from individuals to exercise their rights;

☐ taking into account the nature of processing and the information available, the processor must assist the controller in meeting its UK GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

☐ the processor must delete or return all personal data to the controller (at the controller’s choice) at the end of the contract, and the processor must also delete existing personal data unless the law requires its storage; and

☐ the processor must submit to audits and inspections. The processor must also give the controller whatever information it needs to ensure they are both meeting their Article 28 obligations.

In brief

When is a contract needed and why is it important?

Whenever a controller uses a processor to process personal data on their behalf, a written contract needs to be in place between the parties.

Similarly, if a processor uses another organisation (ie a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.

Contracts between controllers and processors ensure they both understand their obligations, responsibilities and liabilities. Contracts also help them comply with the UK GDPR, and assist controllers in demonstrating to individuals and regulators their compliance as required by the accountability principle.

What needs to be included in the contract?

Contracts must set out:

Contracts must also include specific terms or clauses regarding:

What responsibilities and liabilities do controllers have when using a processor?

Controllers must only use processors that can give sufficient guarantees they will implement appropriate technical and organisational measures to ensure their processing will meet UK GDPR requirements and protect data subjects’ rights.

Controllers are primarily responsible for overall compliance with the UK GDPR, and for demonstrating that compliance. If this isn’t achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

What responsibilities and liabilities do processors have in their own right?

In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the UK GDPR. If a processor fails to meet its obligations, or acts outside or against the controller’s instructions, it may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.

A processor may not engage a sub-processor’s services without the controller’s prior specific or general written authorisation. If authorisation is given, the processor must put in place a contract with the sub-processor. The terms of the contract that relate to Article 28(3) must offer an equivalent level of protection for the personal data as those in the contract between the controller and processor. Processors remain liable to the controller for the compliance of any sub-processors they engage.

Further Reading

Relevant provisions in the UK GDPR - See Articles 28, 29, 30, 31, 32, 33, 34, 35 and 36 and Recitals 81, 82 and 83

External link

In more detail – ICO guidance

The Accountability Framework looks at the ICO’s expectations in relation to contracts.