Controllers, Processors & Sub-Processors - Are your data processing agreements compliant?

The General Data Protection Regulation, better known through its acronym GDPR, has already been in force just over six months!

The GDPR has already made an impact, but there still seem to be some outstanding questions - such as what are the new obligations that Data Controllers, Data Processors and Sub-Processors have in relation to data processing agreements (DPAs)?

The essential obligations of Data Processors are described in Article 28 of the GDPR [1].

Under the GDPR and in the course of ordinary business, Data Processors have a key role to play when it comes to personal data processing activities. Many businesses nowadays use Data Processors. It is not surprising that transparency is required by those processing data, since under certain conditions they can now find themselves jointly-responsible for data, along with the Data Controller [2].

When a Data Controller uses Data Processors, it is important that there are sufficient guarantees in place for the implementation of appropriate technical and organisational measures to ensure that data security obligations are met in accordance with GDPR requirements [3].

Why is this important?

Well, each Data Controller must ensure their data processing is compliant, especially as regards the security and confidentiality of those processing activities! When engaging a Data Processor, it is vital to ensure that processing is undertaken in a safe and complaint way, and that the Data Processor understands this obligation.

As a result, the Data Processor has an obligation under the GDPR to provide a certain amount of information to the Data Controller, and also has specific obligations to adhere to so that the Data Controller can be certain that the guarantees put in place by that Data Processor are sufficient.

The Data Processing Agreement (or DPA)

Any contract (or, any other agreement under EU law or an EU Member State) which binds a Data Controller to a Data Processor must contain key contractual clauses, ranging from general provisions to specific one.

This contract, which is often known as a “Data Processing Agreement”, or a “DPA”, is essential to ensure GDPR compliance!

Firstly, a Data Processor can only act on the Data Controller’s clear instructions. Further, a Data Processor should respect the confidentiality of the personal data being processed, and must also take all necessary measures required by Article 32 of the GDPR regarding pseudonymisation and encryption of personal data. Generally, a Data Processor will assist a Data Controller with its processing of personal data and make sure that it is compliant.

Right to Information!

If a Data Controller is breaching the GDPR, the Data Processor must inform the Data Controller immediately! Such guarantees should be contained in the DPA.


Obligations also arise when a Data Processor engages any other co- or sub-processors. A contract is useful to establish all the obligations required by Article 28 of the GDPR, such as the infamous guarantees relating to the implementation of appropriate technical and organisational measures. These can be evidenced by having a Code of Conduct in place [4], or via an approved certification mechanism. 

Watch Out - if Data Processors do not clearly set out the relationship with their sub-processors, it is the initial Data Processor which would be liable! You must therefore take extra care to ensure that you comply with all the obligations of the GDPR in order to protect your position. 

What about DPA negotiations?

The aforementioned GDPR obligations don’t really leave much room for negotiations when drawing up a Data Processing Agreement. Therefore, in order to protect the Data Controller, Data Processor and any other sub-processors, it is important to be familiar with the GDPR and ensure that your contracts properly reflect the requirements.

Records of processing activities [5]

Keeping accurate records of all processing activities allows you to keep an eye on how your personal data is processed. Granted, the GDPR says that keeping data processing records is not mandatory for companies with less than 250 employees, but we consider that maintaining records allows for real control over any data processing activities and helps you to avoid any pitfalls or confusion.

For Data Processors, keeping records and evidence of data processing activities is vital, especially if any one of its sub-processors breaches the GDPR, Data Processors want to ensure that they have evidence to protect their position and ensure that they can hold any non-compliant sub-processors liable!

What about multiple Data Processors and Controller-to-Controller activities?

When dealing with data processing activities between multiple Data Processors or between two distinct Data Controllers, it is common for there to be a shared database during the data processing activities or a transfer of personal data. Although a Data Processing Contract between Data Processors or between two distinct Data Controllers might not seem necessary (and is not specifically required under the GDPR), in order to ensure legal certainty (just with any other contractual relationship), common sense prevails - it is always better to have terms in place so that the rights and obligations of each of the parties are clear.

If you are in any doubt about the content of a Data Processing Contract or about your responsibilities as a Data Controller or Data Processor, it is always worthwhile to consult a specialised lawyer. Remember, the GDPR is a major piece of legislation that can have significant consequences!

If you have any specific queries relating to your data processing activities or your GDPR contracts, don’t hesitate to get in touch.

December 2018

Charlotte Gerrish, Founding Lawyer, Lily Morrison and Lolita Huber-Froment, Legal Consultants @ Gerrish Legal

[1]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation)

[2]Ibid Article 26 GDPR

[3]Ibid at 1, Article 28 Section 1 GDPR

[4]Ibid at 1, Article 40 GDPR

[5]Ibid at 1, Article 30 GDPR