The contractual relationship between Processor and Controller

The General Data Protection Regulation (“GDPR”) establishes in its article 28 the rules around the “Processor”. The Processor processes Personal Data on behalf of the Controller.

The Controller has a duty of diligence when selecting the Processor and has to be able to prove it has been diligent in its choosing. It should, logically, only select a Processor that is able to guarantee compliance with GDPR.

The Processor should not subcontract without the written permission of the Controller. This because it is the Controller who is firstly responsible/ liable for the processing done by the Processor and its subcontractors.

The relationship between Controller and Processor should be governed by a contract which details the following obligations for the processor:

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • takes all security measures required pursuant to Article 32 GDPR;
  • respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;
  • taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights;
  • assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
  • makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

If a subcontractor is engaged by the Processor, the contract between them shall have the same clauses as between Controller and Processor.

The Processor shall be fully liable for its subcontractors.

If the Processor has “official” (quality) certifications or adheres otherwise to an approved code of conduct as mentioned in article 40 GDPR, it will count towards a positive judgment whether the controller has done its due diligence when selecting.

Please bear in mind that this is just a summary of the clause(s) that affect the processor and controller under GDPR. We can help you to determine whether you are a Controller, processor or both and we can help draft and or review legal clauses that govern these relationships.

Contact us.


Leave a Reply