GDPR – Controller and Processor Responsibilities & Contracts


GDPR – Controller and Processor Responsibilities & Contracts

So who’s responsible for your personal data. You or your Software Vendor and do you know if you are a Controller or Processor?

A Controller

Retains ultimate responsibility for ensuring that data is processed in a compliant manner even if they appoint a processor to process data on their behalf and that they will only be exempt from liability under the GDPR if they prove that they were ‘not in any way responsible for the event giving rise to the damage’ resulting from non-compliant processing.

The Controller Decides:

  • to collect the personal data in the first place and the legal basis for doing so;
  • which items of personal data to collect, ie the content of the data;
  • the purpose or purposes the data are to be used for;
  • which individuals to collect data about;
  • whether to disclose the data, and if so, who to;
  • whether subject access and other individuals’ rights apply ie the application of exemptions; and
  • how long to retain the data or whether to make non-routine
  • amendments to the data.

A Processor

May be liable for fines and to pay compensation for non-compliance with specific processor obligations under the GDPR or where they act outside or contrary to the lawful instructions of the controller  

The Processor can decide:

  • what IT systems or other methods to use to collect personal data;
  • how to store the personal data;
  • the detail of the security surrounding the personal data;
  • the means used to transfer the personal data from one organisation to another;
  • the means used to retrieve personal data about certain individuals;
  • the method for ensuring a retention schedule is adhered to;


  • the means used to delete or dispose of the data.

On 13 September 2017 when the UK Information Commissioner’s Office (ICO) published draft guidance on contracts and liabilities between controllers and processors under the GDPR.

The draft guidance does not add much detail to the provisions of the GDPR but is a useful reminder of the key points. For example, it highlights the requirement for a written contract between the controller and any of its processors and summarises the provisions that the GDPR states must be included in the contract. See below: 

Controller and processor contracts checklist

Our contracts include the following compulsory details:

  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and categories of data subject;
  • The obligations and rights of the controller.

 Our contracts include the following compulsory terms:

  • The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
  • The processor must ensure that people processing the data are subject to a duty of confidence;
  • The processor must take appropriate measures to ensure the security of processing;
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
  • The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • The processor must delete or return all personal data to the controller as requested at the end of the contract; and
  • The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

As a matter of good practice, our contracts:

  • State that nothing within the contract relieves the processor of its own direct responsibilities and liabilities under the GDPR; and
  • Reflect any indemnity that has been agreed.

It is unlikely that existing controller – processor contracts will have these points covered, so it’s important for them to be reviewed and updated.