1. Contractual requirements

1.1. Are there requirements for a contract to be in place between a controller and processor? 

The UK's implementation of the General Data Protection Regulation (Regulation (EU) (2016/679) (UK GDPR) requires that processing by a processor 'is governed by a contract or other legal act under domestic law that is binding on the processor with regard to the controller.'  

While the UK GDPR therefore leaves open the possibility for a controller-processor relationship to be governed by something that is not a 'contract,' in practice contracts will be the most appropriate means of complying with this requirement (and by far the most common).  

1.2. What content should be included in a contract between a controller and processor? 

Responsibility for compliance with the UK GDPR overwhelmingly sits with controllers as opposed to processors. While processors can be held liable for infringing UK GDPR provisions specifically directed at processors, in general controllers will be responsible for the actions of their processors unless the processor acts outside of or contrary to the controller's instructions.  

At the same time, controllers should not be expected to influence every technical detail of the processor's processing of personal data. A controller is defined in the UK GDPR as the person that 'determines the purposes and means of processing of personal data;' however, in practice full control over the means of processing may largely defeat the purpose of engaging a processor to perform a delegated function on behalf of the controller.  

While the overall purpose of the processing is dictated by the controller, guidance at the European level distinguishes between 'essential' and 'non-essential' means of processing, allowing processors a certain degree of discretion about how to best serve the controller's interests and choice as to the most suitable technical and organizational means.  

Although the contents of data processing agreements (DPAs) are prescribed in Article 28 of the UK GDPR, the way the prescribed terms are implemented in practice will reflect the above balance between control and responsibility on the one hand, and delegation on the other.  

The minimum terms to be included in a DPA under Article 28 of the UK GDPR are: 

• Nature and purpose of the processing and personal data involved: The contract should set out the nature and purpose of the processing, the type of personal data, and categories of data subjects, as well as the obligations and rights of the controller. 
• Processing only on documented instructions: The processor should be required to process personal data only on documented instructions from the controller, except where processing is required under domestic (i.e., UK) law. Where a processor is required to process data to comply with applicable law in the UK, it should inform the controller of that legal requirement before processing, unless prohibited from doing so by that law on important grounds of public interest. 
• Confidentiality: The processor must commit to obtain confidentiality commitments from anyone it allows to process personal data. In practice, this clause should cover a processor's employees as well as any contractors or temporary workers who have access to the personal data. 
• Security: The processor should be required to implement appropriate technical and organizational security measures in respect of the personal data (see below for further discussion). For example, the measures might include steps that: 
  • encrypt and pseudonymize personal data; 
  • maintain the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; 
  • restore access to personal data in the event of a cybersecurity incident; and 
  • regularly test and assess the effectiveness of the technical and organizational measures in question. 
• Subprocessors: The processor should only be permitted to appoint subprocessors to process personal data with either specific or general authorization from the controller (on which see further below), and on the condition that the processor enters into an agreement with the subprocessor that sets out the same data protection obligations as are set out in the agreement between the controller and processor. The processor will remain liable to the controller for the performance of the subprocessor's obligations. 
• Assistance with data subject requests from individuals: Processors should assist the controller, where possible through appropriate technical and organizational measures, with the fulfilment of the controller's obligation to respond to data subject rights under the UK GDPR (see further below). 
• Assistance with security, breach notification, impact assessments, and prior consultation: Processors should assist the controller with:  
  • compliance with the controller's security obligations under the UK GDPR; 
  • notification of personal data breaches to the Information Commissioner's Office (the UK data protection regulator) (ICO);  
  • notification of personal data breaches to impacted individuals;  
  • carrying out Data Protection Impact Assessments (where required) (DPIA); and  
  • consultation with the ICO where a DPIA indicates there is a high risk that cannot be mitigated. 
• Delete or return all personal data of the controller after the DPA has been terminated: Whether personal data is deleted or returned is the choice of the controller. Provided that appropriate safeguards are in place, guidance states that it may be acceptable that personal data is not deleted immediately upon termination of the DPA, so long as the retention period is appropriate and the personal data is deleted as soon as possible e.g., the processor's next deletion cycle.  
• Make information available to the controller to demonstrate compliance with Article 28 GDPR, including allowing for and contributing to audits/inspections.  
• Notify the controller if an instruction infringes the UK GDPR or other domestic data protection law: The scope of this obligation is not immediately clear – it sits separately from the others and appears to cross-refer to the obligation to demonstrate compliance and assist with audits. In practice, it has been interpreted as referring to any instruction (i.e., an instruction for processing) from the controller,¹ which would fit with the overall duties of the processor to assist the controller with compliance.  

1.3. Are there requirements for a contract to be in place between a controller and another controller? 

(A) Joint controllers  

Parties acting as joint controllers are required under Article 26 of the UK GDPR to determine their respective responsibilities for compliance with the UK GDPR, and in particular, their obligations to give effect to data subject rights and the provision of transparency information, unless those responsibilities are determined by applicable law in the UK. The Data Protection Act 2018 (the Act) requires joint controllers to designate the controller which is to be the contact point for data subjects. 

Although the content and form of these arrangements are not prescribed as they are in respect of controller-processor relationships, in practice parties will seek to set out their obligations in reasonable detail. Joint processing implies joint responsibility: although a clearly worded contract may not ultimately shift the presumption that both parties should be held jointly liable for processing in breach of the UK GDPR, it can help support an argument to the ICO that the degree of responsibility of the parties in relation to a particular infringement should not be allocated equally when assessing potential fines. The points to consider are likely to be similar to those included in a data sharing agreement (DSA) between independent controllers (as set out below). 

(B) Independent controllers  

Where both parties are acting as independent controllers, the UK GDPR does not stipulate that a contract should be entered into between the parties. However, it is often best practice for the parties to enter into a DSA to set out the purpose of the personal data sharing and the roles and responsibilities of each party.  

While each party will have its own obligations under the UK GDPR as independent controllers, the data sharing party will need to ensure that the act of transferring the personal data aligns with its obligations under the UK GDPR, and the recipient will need to understand the scope of its obligations upon receiving the personal data and satisfy that it can use the data lawfully. As a result, parties may wish to include the following: 

• A description of the data being shared, including the presence of any special category data or criminal offense data. 
• The lawful basis for sharing data.  
• A limitation on the purpose of the transfer of personal data and onward processing by the recipient. 
• Allocation of responsibilities for providing transparency information to data subjects regarding the recipient's processing and, where applicable, obtaining consent from data subjects. For instance, where the recipient will not necessarily have access to data subjects' contact details to fulfil its transparency obligations under Article 14 of the UK GDPR, it may seek to delegate in contract the responsibility for providing a privacy notice to the party sharing the data. 
• A process for handling data subject requests. Controllers are required, under Article 19 of the UK GDPR, to notify recipients of the personal data of any rectification or erasure of personal data or restriction of processing in response to a data subject rights request. Once the party receiving the personal data is aware of the exercise of these rights, it would be difficult for it to justify ongoing processing of personal data that is subject to a deletion, rectification, or restriction request. 
• Procedures for retention and deletion, as well as an agreement on appropriate security standards (for both personal data in transit and personal data at rest). 

2. Data subject rights handling and assistance 

Primary responsibility for giving effect to data subject rights under the UK GDPR sits with controllers. As a result, when engaging processors, controllers will wish to maintain a degree of control over the handling of data subject rights while leveraging the processor's capabilities for assistance with responding to rights requests. 

Article 28(3)(e) reflects this dynamic by requiring processors to provide assistance using appropriate technical and organizational measures (insofar as this is possible) for the fulfilment of the controller's obligation to respond to data subject rights requests. However, each party may, in practice, wish to go further by specifying the scope of the processor's obligations, such as: 

• what technical and organizational measures the processor makes available to assist with data subject rights requests, such as the existence of 'self-serve' dashboards and automated processes; and 
• what procedure the processor will follow on receipt of a data subject request, including whether the processor should acknowledge the request and identify the controller as the party responsible, prohibitions on further communication with the data subject, the time frame for forwarding the request to the controller and any steps the processor should take to assist with the identification of the data subject. Any timings included in the agreement should reflect the obligation of the controller to respond to requests within one month of receipt (extendable in some circumstances to three months). 

3. Security measures

The requirement to implement appropriate security measures applies to both controllers and processors independently.  

That being said, controllers have the added consideration of ensuring that they only engage processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the UK GDPR and ensure the protection of data subject rights. 

In practice, detailed contractual obligations in respect of (among other matters) the security measures to be implemented by processors (or at least minimum standards) can go some way towards demonstrating the controller's compliance with its obligations.  

4. Breach notification

Under the UK GDPR, a personal data breach must be reported to the ICO by a controller within 72 hours of becoming aware of the breach. It is therefore up to the controller to report a personal data breach to the regulator, not a processor.  

Processors are required to notify the personal data breach to the controller 'without undue delay,' to assist a controller with any regulatory and/or individual notifications it is required to submit.  

5. Subprocessors

Article 28 of the UK GDPR requires controllers and processors to agree on either specific or general authorization to appoint subprocessors. Specific authorization requires the controller's consent to each appointment; general authorization allows the processor to appoint subprocessors from a pre-agreed list, and a right for the controller to object to any changes to that list. 

While controllers may view specific authorization as a more effective way of exercising control over the processor's activities, parties should consider whether a requirement for specific consent to each appointment is workable in practice and achieves the relevant balance between control and delegation in the specific context of the services provided by the processor. 

Parties will also likely wish to add more specifics in relation to notification and objection periods, as well as the process for resolving any disputes, to avoid the process for changing subprocessors becoming an administrative blocker to ongoing service provision. 

6. Regulatory assistance

Processors are required to provide controllers with assistance with completing DPIAs and consultations with regulators. 

7. Cross-border transfers

Where DPAs and DSAs are entered into between a UK-based personal data exporter and another party (whether a controller or a processor) established outside of the UK, the parties need to ensure that any transfers of personal data are made using the appropriate international data transfer mechanism. 

• Transfers on the basis of an adequacy decision: Transfers of personal data are allowed to countries that 'ensure an adequate level of protection,' as set out in the Act or adequacy regulations made by the UK Secretary of State. For a list of adequate jurisdictions, please see the ICO response to 'What countries or territories are covered by adequacy decisions?' available here. Where an adequacy decision exists, personal data can be transferred between a data exporter and another party using a DPA or DSA. 
• Transfers on the basis of other appropriate safeguards: For those jurisdictions where an adequacy decision is not in place, transfers of personal data must be made using an appropriate safeguard. In the UK, the ICO has issued a set of standard data protection clauses which can be used when transferring personal data to a non-adequate jurisdiction: the International Data Transfer Agreement (IDTA) and the Addendum to the Standard Contractual Clauses approved by the European Commission (the Addendum). One of the IDTA or the Addendum will need to be incorporated into the DPA or DSA to legitimize the transfer of personal data. In addition, data exporters will need to undertake a transfer risk assessment to ensure that the recipient is able to provide a level of protection for personal data that is essentially equivalent to what is guaranteed under the UK GDPR.  

ICO guidance: 

• Data sharing agreements 
• Guidance on controllers and processors 
• Contracts and liabilities between controllers and processors 
• Guidance on contracts  
• A guide to international transfers 
• International data transfer agreement and guidance 

Regulator templates: 

• International Data Transfer Agreement  
• IDTA Addendum  
• Model contract clauses 

Kelly Hagedorn Partner 
[email protected]  
Alex Sobolev Senior Associate 
[email protected]  
Hanna Hewitt Associate 
[email protected]  
Thomas Seward Trainee 
[email protected]  
Orrick, Herrington & Sutcliffe (UK) LLP, London 

1 See page 13 of the European Data Protection Board's (EDPB) Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).