The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation, with responses due by 10 October 2017.

The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under the General Data Protection Regulation (GDPR). It also looks at the responsibilities and liabilities of controllers and processors.

Written contracts

Under the GDPR, a written contract must be in place when a controller uses a processor to process personal data. This is not a new concept, as data processing agreements are already used to satisfy the security requirements under the Data Protection Directive (95/46/EC). The GDPR, however, is wider in scope and now sets out specific terms that must be included in such contracts; for example, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects, and the obligations and rights of the controller. See Article 28.3 of the GDPR and page 12 of the draft guidance for further details.

The GDPR also allows for the use of standard contractual clauses issued by the European Commission or supervisory authority (such as the ICO), and approved codes of conduct or certification schemes which processors can sign up to; however, these are not available yet.

Responsibilities and liabilities


The key point here is that a controller is ultimately responsible for ensuring that personal data is processed in accordance with the GDPR. This means that, regardless of the use of a processor, the controller may be subject to any of the corrective measures and sanctions set out in the GDPR – including claims for compensation from a data subject, and administrative fines. It may, however, be able to claim back all or part of the amount of compensation from its processor, to the extent that it is liable (Article 82.5 of the GDPR).

Unless the controller can prove that it was “not in any way responsible for the event giving rise to the damage”, it will be fully liable for any damage caused by non-compliant processing, regardless of its use of a processor.


If a processor acts outside the documented instructions of a controller and determines the purpose and means of processing, it will be considered a controller and be subject to the same liabilities discussed above.

A processor also has certain direct responsibilities and liabilities under the GDPR, some of which are required contract terms (see pages 22 – 23 of the draft guidance for further details). Processors may be held directly responsible for non-compliance with these obligations, or the contract terms, and may be subject to administrative fines or other sanctions, and liable to pay compensation to data subjects. It may, however, be able to claim back from the controller part of the compensation it paid, for the controller’s share of liability (Article 82.5 of the GDPR). A processor will not be liable if it can prove it is not “in any way responsible for the event giving rise to the damage”.


A processor cannot absolve itself of responsibility by using a sub-processor. The sub-processing contract (required under the GDPR) must impose the same legal obligations on the sub-processor as set out in the main contract, and provide that the original processor is still liable to the controller for the compliance of the sub-processor.

What should businesses be doing to prepare?

All contracts in place 25 May 2018 will need to meet the new GDPR requirements. Businesses should check their existing contracts now to make sure they include all the required terms. If they do not, new contracts will need to be drafted and signed. All template or precedent contracts should also be reviewed and updated where necessary.

Businesses need to allow plenty of time for negotiations with their suppliers on issues such as allocation of risk and liability (including the adequacy of any caps), audit rights, and use of sub-processors, particularly with suppliers offering large-scale processing solutions on standard terms.

Controllers also have a responsibility to check that their processors are competent to process personal data, so businesses should carry out an assessment in each case to satisfy themselves that the processor is providing “sufficient guarantees” in accordance with the requirements of the GDPR.