This web site uses cookies. You are free to manage your cookie settings in your web browser at any time. For more about how we use cookies, please read our data privacy policy.

GDPR controller to processor contract considerations

GDPR controller to processor contract considerations

GDPR controller to processor contract considerations

by Jim Ashton | Oct 4, 2017


Many organisations use outsourced services. This document is relevant when an organisation requires the outsourced service provider to process personal data on its behalf. An example would be cloud based employment processing.

Purpose of this document

This document explains the components and content required to establish and maintain a GDPR compliant Controller to Processor contract.


  • Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Controller;

Controller to Processor considerations

The use of a Processor by a Controller requires a significant amount of work to establish and maintain.

The Controller is accountable for the Processor's actions unless the Processor acts outside its contractual obligation.

For a Controller to award processing to a Processor, the following are required:

  1. Demonstrable due-diligence by the Controller regarding the selection of a Processor
  2. A legally binding processing contract between the Controller and the Processor
  3. An ongoing communication channel between the Controller and the Processor
  4. Periodic reviews of the Processor against the processing contract

Processor selection

The following must be considered when selecting a Processor:

  1. Relevant knowledge
  2. Reliability
  3. Resources
  4. Technical and organisational measures
  5. Security
  6. Adherence to approved codes of conduct
  7. Possession of approved certifications
  8. Staff committed to confidentiality

Processor contract maintenance

Any processing outsourced to a Processor must be governed by a contract that contains provisions for:

  1. Processing subject matter
  2. Duration of the processing contract
  3. Nature and purposes of the processing
  4. Type of personal data
  5. Categories of data subjects
  6. The return or deletion of personal data on completion of the contract
  7. Documented processing instructions defined by the Controller
  8. Processor only processes data using the instructions from Controller
  9. Processor is liable to the Controller for any additional processors engaged by the Processor
  10. Controls over transfers of personal data outside the EEA or to an international organisation
  11. Additional contractual considerations if the Processor is not based in an EEA country

Controller to Processor communication channel

Regular contact must be maintained that allows for:

  1. Data protection impact assessment findings
  2. Assistance with prior consultation with the ICO
  3. Requests to engage other processors
  4. Intended changes
  5. Ad-hoc Controller requests
  6. Respond to requests for SARs
  7. Tell the controller if an instruction is not compliant

Periodic review of the Processor

  1. Controller conducts audits or inspections on an agreed periodic basis
  2. Processor submits to audits and inspections
  3. Processor maintains and provides information to demonstrate compliance
  4. Processor remediates processing based on the audit or inspection findings
  5. Controller verifies the remediation results
  6. Controller renews or terminates Processor contracts

 Share article

More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?