The controller and processor must be party to the contract. 

What details about the processing must the contract include?

Article 28(3) states that the contract (or other legal act) must include the following details about the processing:

The controller therefore needs to be very clear from the outset about the extent of the processing it is contracting out.

What are the minimum required terms?

Article 28(3) also sets out the following specific terms or clauses that must be included in the contract:

These are the minimum required, but the controller and processor may agree to supplement them with their own terms. Each of these terms is explored further below.

Processing only on the controller’s documented instructions

Under Article 28(3)(a) the contract must say that the processor may only process personal data in line with the controller’s documented instructions (including when making an international transfer of personal data) unless it is required to do otherwise by EU or member state law.

The contract may include details of the instructions specified in Article 28(3), or those instructions may be provided separately.

An instruction can be documented by using any written form, including email. The instruction must be capable of being saved, so that there is a record of the instruction.

This contract term should make it clear that it is the controller, rather than the processor, that has overall control of what happens to the personal data.

If a processor acts outside of the controller’s instructions in such a way that it decides the purpose and means of processing, including to comply with a statutory obligation, then it will be considered to be a controller in respect of that processing and will have the same liability as a controller.

Duty of confidence

Under Article 28(3)(b) the contract must say that the processor must obtain a commitment of confidentiality from anyone it allows to process the personal data, unless that person is already under such a duty by statute.

This contract term should cover the processor’s employees as well as any temporary workers and agency workers who have access to the personal data.

Appropriate security measures

Under Article 28(3)(c) the contract must oblige the processor to take all security measures necessary to meet the requirements of Article 32 on the security of processing.

Both controllers and processors are obliged under Article 32 to put in place appropriate technical and organisational measures to ensure the security of any personal data they process which may include, as appropriate:

Adherence to an approved code of conduct or certification scheme may be used as a way of demonstrating compliance with security obligations. Codes of conduct and certification may also help processors to demonstrate sufficient guarantees that their processing will comply with the GDPR.

Using sub-processors

Under Article 28(3)(d) the contract must say that:

Data subjects’ rights

Under Article 28(3)(e) the contract must provide for the processor to take “appropriate technical and organisational measures” to help the controller respond to requests from individuals to exercise their rights.

This provision stems from Chapter III of the Applied GDPR, which describes how the controller must enable data subjects to exercise various rights and respond to requests to do so, such as subject access requests, requests for the rectification or erasure of personal data, and objections to processing. 

Assisting the controller

Under Article 28(3)(f) the contract must say that, taking into account the nature of the processing and the information available, the processor must assist the controller in meeting its obligations to:

We recommend that the contract is as clear as possible about how the processor will help the controller meet its obligations.

End-of-contract provisions

Under Article 28(3)(g) the contract must say that at the end of the contract the processor must:

It should be noted that deletion of personal data should be done in a secure manner, in accordance with the security requirements of Article 32. 

The contract must include these terms to ensure the continuing protection of the personal data after the contract ends. This reflects the fact that it is ultimately for the controller to decide what should happen to the personal data being processed, once processing is complete.

We appreciate the practical reality that it may not be possible for data in backups or archives to be deleted immediately on termination of a contract. Provided appropriate safeguards are in place, such as the data being put immediately beyond use, it may be acceptable that the data is not deleted immediately if the retention period is appropriate and the data is subsequently deleted as soon as possible, eg on the processor’s next deletion/destruction cycle.

Audits and inspections

Under Article 28(3)(h) the contract must require:

This provision obliges the processor to be able to demonstrate compliance with the whole of Article 28 to the controller. For instance, the processor could do this by giving the controller the necessary information or by submitting to an audit or inspection.

The Applied GDPR does not require that the contract includes a provision requiring a processor to keep records of the processing it carries out for the controller – although such records would be useful for the processor to demonstrate compliance with Article 28. However, requirements for processors to maintain records of their processing activities are set out in Article 30(2). 

Can standard contract clauses be used?

The GDPR allows the EU Commission and EU supervisory authorities to issue standard clauses to include in contracts between controllers and processors. When these clauses become available they may provide a simple way to ensure that contracts between controllers and processors comply with the Applied GDPR.