Search the Hub by keyword

The Controller-Processor relationship

Article 28 of the GDPR (s59-60 of the Data Protection Act 2018) sets out that a Data Controller can only use a third-party Data Processor to process their personal data if:

  1. The processor is compliant and able to demonstrate as much
  2. There is a contract in place between the Controller and Processor

This essentially means that if you are planning on using a third-party to process your personal data, bearing in mind the wide definition of “processing”  you will need to apply these rules. It also means, if you are a Data Processor, you either need to pre-empt these expectations of your clients or expect them to carry out due diligence on you.

The GDPR stipulates the precise contract terms required and most businesses adopt these via a Data Processing Agreement (or “DPA”) either as a standalone separate document or as part of Terms of Service or Terms and Conditions.

It does not matter whether the contract or DPA is produced by the Controller looking for the Processor to agree to its terms, or by the Processor setting out that if a Controller wishes to use it’s service it agrees to its DPA terms.

Simply put, the DPA (or contract) needs to set out that the Processor:

  1. Only process the personal data on the documented instructions of the Data Controller
  2. Only process the data outside the EU on the documented agreement with the Data Controller
  3. Ensure that any personnel processing the data for the Data Processor are fully up to speed with data protection law and duties of confidentiality
  4. Ensure that all processing is done with technical and organisational measures in place to ensure the security of processing
  5. Only engage sub-processors with the permission of the Data Controller as well as accept liability for ensuring the sub-processors are compliant and bound by similar rules
  6. Assist the Data Controller with its duties to deal with individuals’ rights (e.g. subject access requests)
  7. Assist the Data Controller with its obligations relating to security, data breaches and data protection impact assessments (DPIA)
  8. At the choice of the controller either delete or return (securely) data at the end of the processing activities
  9. Makes available to the controller all information necessary to demonstrate compliance which includes contributing to and allowing the controller to carry out audits and inspections

In practice this means that most Controllers are bound (by agreement) to the Processor’s DPAs and terms of service which typically set out the above requirements. That said, it is still the Controllers responsibility to make sure that the correct obligations are in place with the Processor, which is why the Controller will need to carry out some form of due diligence check upon the Processor.

For an overview, watch this recording of a webinar we ran in February 2019. You can also download a copy of the slides here


We have also produced a checklist of the things you’ll need to do carry out.

Third-Party Processor Due Diligence Kit

We’ve put everything you need to comply with the Article 28 controller and processor obligations relating to third-party data processor due diligence into one complete kit. This is the same content as available on the Hub, but bundled together in a collection of supporting documents and a guiding document setting out what you need to consider – a quick way to get your compliance on track.