Contracts and liabilities between controllers and processors under GDPR

clock • 3 min read

The draft guidance aims to help data controllers and data processors understand their roles

In September, the ICO opened a consultation period on its draft guidance, which provides practical guidelines for UK organisations on contracts between data controllers and processors under the GDPR.

The draft guidance includes an overview of the mandatory provisions that will need to be in place between controllers and processors from May next year, and stresses the requirements of their statutory obligations.

The guidance aims to help both parties to understand their roles and to find compromising solutions for them to be able to have the mandatory provisions in place. It is also seeking UK organisations' views as to whether the guidance provides the level of detail and clarification that they need to properly address this requirement.

The consultation closed yesterday, and despite that the guidance may not provide sufficient details on every single point. However, it does include a lot of useful content that can be easily understood and followed, e.g. a controller and processor contracts checklist.

What are the current obligations?

The Seventh Principle of the Data Protection Act 1998 places an obligation on controllers for them to ensure:

  • that they have chosen a processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing of data - meaning an IT security audit needs to be carried out; and

  • that they have put in place a written contract stating that the processor will only act under the instructions of the controller and that they comply with data security obligations equivalent to those imposed on the controller.

The GDPR regime - updates that are opening discussion

The GDPR enhances the current obligations and includes a set of mandatory provisions that need to be included in the agreements between data controllers and processors. These provisions are not new; in fact, many data protection practitioners have been using them for years to clarify positions and minimise risks. However, the fact of this becoming mandatory is opening new points of discussion between parties that require special attention; for example regarding additional fees, the extent to which both parties will collaborate with each other and identifying what data fits into the category of "being processed on behalf of the controller", amongst other things.

In light of this, many organisations are struggling to understand who would be responsible if one of the parties does its best to renegotiate a current agreement and the other party refuses to do so. Initially, you may conclude that the party refusing would be the responsible or liable one. However, the obligation of having suitable provisions in place is the controller's responsibility under the GDPR.

It seems that each case where parties do not find a compromising solution should be analysed on a case-by-case basis. This has raised concerns among controllers, as it may be difficult to simply change provider if they already have invested most of their budget on an existing contract. Would they be given more time - for example, the extension of the period that for certain cases would apply under Recital 171 of the GDPR - to find a solution without breaching the regulation?

We hope to hear more about this and other concerns related to this topic from both the ICO and the Article 29 Working Party.

In the interim, organisations will generally find the ICO's draft guidance useful to the extent that it explains why contracts between controllers and processors are important; it makes a distinction between what content is mandatory and what provisions are recommended for good practice. It also clarifies the processors' contractual obligations and what their direct responsibilities are under the GDPR - the understanding of which is crucial for service providers.

Rocio de la Cruz is principal associate at Gowling WLG

You may also like
EU heavies disagree with bloc's AI plans, support UK-style 'wait-and-see' proposal

Legislation and Regulation

MEP labels leaked policy 'a declaration of war'

clock 20 November 2023 • 3 min read
Provisional inter-institutional agreement on the proposal on political advertising reached © European Union (2023)


But lobbyists continue to fight back

clock 10 November 2023 • 4 min read
Amazon, Meta settle UK antitrust investigations


CMA concerned about use of competitor data to improve own services

clock 05 November 2023 • 2 min read
Most read
Upcoming events

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Legislation and Regulation

EU heavies disagree with bloc's AI plans, support UK-style 'wait-and-see' proposal

EU heavies disagree with bloc's AI plans, support UK-style 'wait-and-see' proposal

MEP labels leaked policy 'a declaration of war'

clock 20 November 2023 • 3 min read
Google’s witness accidentally reveals an important detail. Source: iStock

Google's witness accidentally reveals important detail in antitrust trial

Google attorney 'visibly cringed' at revelation, according to reports

clock 15 November 2023 • 2 min read
China US

Biden and Xi to sign deal limiting use of AI in nuclear weapons systems

Hopes are high that the landmark agreement will be a step towards improving global superpower relations

clock 14 November 2023 • 2 min read