Skip to content
Platform|Embed
ContactAboutNewsReviewsBook a demo
Support
Custom templatesCreate templates in DocueReady-made legal templates150+ lawyer-made UK templatesElectronic signatureEffortless signing in secondsDocue DriveSecure, intelligent contract managementEmbedded Legal EngineEmbed templates into your own softwareEmbedded Sign EngineEmbed signing into your own software
Legal Templates
HubSpotSalesforcePipedriveOther systems
Pricing
SearchLog inBook a demo
PlatformEmbed
HomeLegal TemplatesPricingContactAboutNewsReviews
Book a demo

Already have an account? Sign in

  1. Legal Hub
  2. Top 5 FAQs for data processors about controller-processor agreements
0 % read

Top 5 FAQs for data processors about controller-processor agreements

FAQ•Last updated 15 Oct 2024
Are you handling personal data for another business? If so, our FAQs for data processors about controller-processor agreements can help you protect your business.

1. What is the difference between a controller and a processor?

A controller is the business (or individual) that makes decisions about processing activities, including the purpose of processing and the means of processing. It has overall control of the personal data being processed and is ultimately responsible for the processing.

A processor is a business (or individual) that is appointed by a controller to carry out processing activities on its behalf. Although a processor may make its own day-to-day operational decisions, it should only process personal data in line with the controller’s instructions.

Controllers have more obligations than processors do under the UK GDPR, because they decide what personal data is collected and why, and exercise ultimate control over the data. UK controllers must also pay a data protection registration fee to the ICO unless they are exempt.

Processors have fewer direct obligations under the UK GDPR, but have additional obligations imposed on them via controller-processor agreements (see question 4 below).

2. What is a controller-processor agreement?

A controller-processor agreement (also known as a data processing agreement or DPA) is the contract between a controller and a processor that sets out the scope of processing to be carried out by the processor and the legal terms that apply to the relationship.

It is a requirement of data protection laws for a contract to be put in place between controllers and their processors.

3. What should be included in a controller-processor agreement?

Article 28(3) of the UK GDPR contains a list of mandatory clauses that must be included in controller-processor agreements. In addition to the mandatory clauses, controller-processor agreements also often include additional terms that cover the liability of each party and how the processing relationship can come to an end.

Check out our checklist of what to include in your controller-processor agreement here. Docue’s controller-processor agreement contains the mandatory clauses that are required in contracts between controllers and processors under data protection laws.

4. What are the key obligations on a data processor under a controller-processor agreement?

One of the key purposes of a controller-processor agreement is to set out how the processor can use the controller’s personal data in a way that ensures it is protected. To achieve this, controller-processor agreements usually include the following obligations on processors:

  • Security measures - the technical and organisational measures that the processor must have in place to protect the controller’s personal data;

  • Confidentiality - a duty to keep the controller’s personal data confidential;

  • Assistance with data subject access requests - a process for directing data subject requests to the controller, and assisting the controller with those requests;

  • Data breach notification - a process for promptly notifying the controller of any data breaches that affect the controller’s personal data;

  • Onwards transfers - restrictions on sharing the personal data with third parties (known as sub-processors) or outside of the UK and EEA without permission from the controller to do so; and

  • Other assistance - including assisting the controller with data protection impact assessments and ICO investigations.

It’s really important that data processors are fully aware of the obligations and can commit to them before they sign the controller-processor agreement - if a processor agrees to obligations that it can’t fulfil, it could be in breach of contract and open itself up to claims from the controller.

5. Can a processor use personal data with a controller-processor agreement being in place?

No, any personal data that the processor is using in the capacity of a processor can only be used if there is a controller-processor contract in place. This is because data protection laws in the UK include an express requirement for there to be a contract in place between controllers and processors. If a processor uses a controller’s personal data without a controller-processor contract being put in place first, it will be a breach of data protection laws.

Docue’s controller-processor contract has been drafted by privacy lawyers to ensure it complies with data protection laws. It contains lawyer-drafted guidance notes along the way to help you create your controller-processor agreement.

Sign-up now to use Docue's controller-processor agreement template.

Author
Docue's Legal Team

Tags: controller-processor agreement, controller processor contract, data controller to data processor agreement.


Related legal templates

Data Processing AgreementData Sharing AgreementPrivacy Notice (Website)Data Protection Policy

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Features

  • Custom templates
  • Ready-made legal templates
  • Electronic signature
  • Contract management

Service

  • Pricing
  • Reviews
  • Integrations
  • Legal Hub
  • Support

Company

  • About
  • Contact
  • News
  • Solutions
  • Reviews

Other

  • Log in
  • Data Security
  • Privacy Policy
  • Terms of Use
  • Data Processing Agreement

Support site

Instructions for using the service and answers to frequently asked questions: help.docue.com/en

Customer Service

For business customers: support@docue.com

4.5
(142)
Google LogoReviews on Google
ISO logo

ISO/IEC 27001 certified

© 2026 Docue

•
  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • Youtube
Choose country