The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists.

The new guidance discusses (1) when a contract is needed and why, (2) specifically what terms need to be included in the contract, (3) the responsibilities and liabilities of controllers when using a processor, and (4) the responsibilities and liabilities of processors.

The guidance lays out the minimum required terms, citing to the Articles of the General Data Protection Regulation (GDPR), and provides some color on the following terms and clauses: (1) processing only on the documented instructions of the controller; (2) duty of confidence; (3) appropriate security measures; (4) using sub-processors; (5) data subjects’ rights; (6) assisting the controller; (7) end-of-contract provisions; and (8) audits and inspections.

The guidance also outlines some of a controller’s responsibilities when using a processor. For example, the guidance focuses on Article 28(1), which states that a controller “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.” The ICO provides some examples of the considerations controllers should make when assessing whether a processor provides “sufficient guarantees” under Article 28(1). According to the ICO, such examples include:

  • The extent to which the measures comply with industry standards, if these apply in the context of the processing.
  • Whether the processor has sufficient technical expertise to assist the controller, e.g., in carrying out obligations under Articles 32-36 of the GDPR (technical measures, breach notifications and data protection impact assessments).
  • Providing the controller with relevant documentation, e.g., its privacy, record management and information security policies.
  • Adherence to an approved code of conduct or a certification scheme (when either becomes available).

Finally, the guidance also discusses the liabilities of processors and sub-processors as well as some considerations for both processors and controllers to think about when negotiating a contract for data processing.