Four key points to include in contracts between Data Controllers and Data Processors

The General Data Protection Regulation (2016/679), imposes clear requirements controlling the appointment of data processors by data controllers.  One of these is a requirement prescribing various matters which must be stipulated in a written contract (Article 28). As and from 25 May 2018 all agreements between Data Controllers and Data Processors need to meet these new GDPR requirements.

This is a major change for many organisations, who may have worked without clear documented contracts. However as the Irish Data Protection Commissioner says:  “Informal and ad-hoc arrangements will not be acceptable, where personal data is involved”.

You should therefore check your existing contracts to make sure they contain all the required elements. If they don’t, you should get new contracts in place and make sure they cover the 4 points below at least.

It would also be a good idea to make sure that your processor understands the reasons for the changes and the new obligations that the GDPR puts on it. Remember that Fortnum & Mason were hacked, not because the 311-year-old retailer did anything wrong themselves, but because of one of its Data Processors. This Data Processor whose database was hacked was a 3rd party company, retained to run a survey for Fortnum & Mason. Yet Fortnum & Mason was the company whose name was in the newspaper headlines.  Your processor needs to understand the risks that its runs which may include an administrative fine or other sanction if it does not comply with its obligations.

The following four key points at least should be included in a contract between a Data Controller and a Data Processor:


The contract must commit the data processor to apply “appropriate security measures” to protect personal data from a data breach.

End of a Data Controller and Data Processor contract

It may seem obvious but the contract must specify the deletion or return of the data upon ending of the contract between Data Controllers and Data Processors.


If there are penalties in place they should be specified here, should the terms of the contract be broken.  Remember that GDPR also introduces fines of up to 4% of annual worldwide turnover for the most serious breaches  and the risk of private claims for compensation. This presents a not inconsiderable risk to most organisations.


The Data Controller or their agents have a right to inspect or audit the Data Processor as to ensure compliance with the provisions of the contract.

Please note GDPR is a complex principle based law which will be interpreted by national regulators and courts.  In addition it also contains numerous areas where Member States are permitted to enhance GDPR requirements As such there is very limited very limited guidance or case law on Article 28.  It’s currently unclear how stringently national regulators and courts will view organisations efforts to comply.

Leave a Reply