GDPR guidance on contracts and liabilites between controllers and processors

27 September 2017

The Information Commissioners Office (ICO) has drafted detailed guidance on contracts and liabilities between controllers and processors under the General Data Protection Regulation (GDPR).

What is the difference between a controller and a processor?

The GDPR says that:

  • A controller is a natural or legal person or organisation which determines the purposes and means of processing personal data
  • A processor is a natural or legal person or organisation which processes personal data on behalf of a controller

If you are not sure whether you are a controller or a processor, you can refer to ICO guidance data controllers and data processors. Although it is based on the Data Protection Act 1998 (DPA), the parts of this guidance setting out how to determine who is the controller and who is the processor are still relevant under the GDPR.

Under the GDPR, when a controller uses a processor it needs to have a written contract (or other legal act) in place to evidence and govern their working relationship. If you are a controller, the guidance (draft) will help you to understand what needs to be included in that contract and why. It will also help processors to understand their responsibilities and liability. There is also a useful controller and processor contracts checklist at the end of the guidance.

The guidance sets out how the ICO interprets the GDPR, and includes their general recommended approach to compliance and good practice. As the GDPR is a regulation that applies consistently across the EU, the guidance will need to evolve to take account of future guidelines issued by relevant European authorities, as well as the ICO’s experience of applying the law in practice from May 2018.

The ICO intend to keep this guidance under review and update it in light of relevant developments and stakeholders’ feedback.

CIPP comment

The guidance (draft) is open for comment until 10 October 2017. There are just five tick box questions and the option to provide any other comments. You can respond directly to the ICO by email or post. 

If you have any concerns or questions regarding compliance with GDPR, please do email details to us at policy.


Looking ahead to the new Data Protection Act

The GDPR is only a part of the overall data protection framework. The government recently introduced the Data Protection Bill into Parliament. This should become law in 2018 replacing the current Act. It will:

  • Set out derogations from the GDPR, ie areas where Member States can decide provisions, such as around some exemptions
  • Contain other national implementing measures, such as the Commissioner’s powers
  • Implement the Law Enforcement Directive, which covers processing by competent authorities such as police forces for law enforcement purposes
  • Cover those areas of data processing that are not covered by either GDPR or the Directive and are outside the scope of EU law, so that there will be no gaps in the UK’s data protection regime

The ICO will be following the progress of the Data Protection Bill closely and will contribute their views as appropriate during its passage through Parliament. Any legislation introduced into Parliament is open to change so once the ICO has a clearer idea of its final form they will be able to make firmer plans and develop the structure and the content of the guidance.

The ICO’s aim is to provide a suite of data protection guidance that is as comprehensive as possible by May 2018.