Top 5 FAQs for data processors about controller-processor agreements

1. What is the difference between a controller and a processor?

A controller is the business (or individual) that makes decisions about processing activities, including the purpose of processing and the means of processing. It has overall control of the personal data being processed and is ultimately responsible for the processing.

A processor is a business (or individual) that is appointed by a controller to carry out processing activities on its behalf. Although a processor may make its own day-to-day operational decisions, it should only process personal data in line with the controller’s instructions.

Controllers have more obligations than processors do under the UK GDPR, because they decide what personal data is collected and why, and exercise ultimate control over the data. UK controllers must also pay a data protection registration fee to the ICO unless they are exempt.

Processors have fewer direct obligations under the UK GDPR, but have additional obligations imposed on them via controller-processor agreements (see question 4 below).

2. What is a controller-processor agreement?

A controller-processor agreement (also known as a data processing agreement or DPA) is the contract between a controller and a processor that sets out the scope of processing to be carried out by the processor and the legal terms that apply to the relationship.

It is a requirement of data protection laws for a contract to be put in place between controllers and their processors.

3. What should be included in a controller-processor agreement?

Article 28(3) of the UK GDPR contains a list of mandatory clauses that must be included in controller-processor agreements. In addition to the mandatory clauses, controller-processor agreements also often include additional terms that cover the liability of each party and how the processing relationship can come to an end.

Check out our checklist of what to include in your controller-processor agreement here. Docue’s controller-processor agreement contains the mandatory clauses that are required in contracts between controllers and processors under data protection laws.

4. What are the key obligations on a data processor under a controller-processor agreement?

One of the key purposes of a controller-processor agreement is to set out how the processor can use the controller’s personal data in a way that ensures it is protected. To achieve this, controller-processor agreements usually include the following obligations on processors:

• Security measures - the technical and organisational measures that the processor must have in place to protect the controller’s personal data;

• Confidentiality - a duty to keep the controller’s personal data confidential;

• Assistance with data subject access requests - a process for directing data subject requests to the controller, and assisting the controller with those requests;

• Data breach notification - a process for promptly notifying the controller of any data breaches that affect the controller’s personal data;

• Onwards transfers - restrictions on sharing the personal data with third parties (known as sub-processors) or outside of the UK and EEA without permission from the controller to do so; and

• Other assistance - including assisting the controller with data protection impact assessments and ICO investigations.

It’s really important that data processors are fully aware of the obligations and can commit to them before they sign the controller-processor agreement - if a processor agrees to obligations that it can’t fulfil, it could be in breach of contract and open itself up to claims from the controller.

5. Can a processor use personal data with a controller-processor agreement being in place?

No, any personal data that the processor is using in the capacity of a processor can only be used if there is a controller-processor contract in place. This is because data protection laws in the UK include an express requirement for there to be a contract in place between controllers and processors. If a processor uses a controller’s personal data without a controller-processor contract being put in place first, it will be a breach of data protection laws.

Docue’s controller-processor contract has been drafted by privacy lawyers to ensure it complies with data protection laws. It contains lawyer-drafted guidance notes along the way to help you create your controller-processor agreement.

Sign-up now to use Docue's controller-processor agreement template.