Blog
Rayner my parade! The importance of specialist advice.
Jemma Brimblecombe
Under the GDPR, when a ‘data controller’ engages a ‘data processor’, the two parties must enter in to a written contract. Article 28 of the GDPR sets out what specific terms, as a minimum, must be included in such contracts. Such terms are required to ensure that the processor complies with the GDPR when processing the personal data in possession of the controller. Article 28 is a new requirement which did not exist under the Data Protection Act 1998 (the “DPA”), meaning that controllers who are currently compliant with the DPA will not necessarily have included these provisions in their processor contracts. These contractual terms must be in place when the GDPR comes into force on 25 May 2018. Controllers and processors will therefore need to review their existing contracts and revise them as necessary and, where no contract is in place, agree its terms before May 2018. The Information Commissioner’s Office (the “ICO”) has provided draft guidance concerning this issue (see here).
A ‘data controller’ is defined as a ‘natural or legal person or organisation which determines the purposes and means of processing personal data’. For example, an employer which stores its employees’ data on a cloud-based HR software platform.
A ‘data processor’ is a ‘natural or legal person or organisation which processes personal data on behalf of the controller’. For example, the provider of the cloud-based HR platform referred to above, which processes employee data on behalf of the employer.
Under Article 28.3 of the GDPR, a contract is needed when a controller uses a processor to process personal data, and whenever a processor employs another processor (a ‘sub-processor’). As such, the employer and the software provider must enter into a contract relating to the use of the platform referred to above. Similarly, the software provider must enter into contracts with any relevant sub-contractors (for example, a third party hosting the processor’s servers).
Under the GDPR, the following details and provisions must be specified in any data processing contract:
The contract between a controller and a processor must include the following information:
All contracts must provide that ‘the processor may only process personal data in accordance with the controller’s written instructions, unless required to do so by law’. In the event that the processor is required to disclose the data by law, the processor must inform the controller before disclosing it (unless the law prevents this for public interest reasons).
Contracts should include a provision obligating processors to obtain a commitment of confidentiality from anyone it allows to process the personal data (unless they are already under such a duty by law). Practically speaking, this means that the processor’s employees, temporary and agency workers and subcontractors engaged to process personal data, must enter into confidentiality agreements with the processor.
The processor must be subject to the same requirements as the controller in relation to keeping personal data secure. Article 32 of the GDPR sets out the ‘appropriate technical and organisational measures’ that both the processor and controller must take, including:
Processors must not employ sub-processors without the controller’s prior written consent, which can be given either generally or specifically. Using the example above, the provider of the cloud-based HR platform might wish to sub-contract with another party to perform the services on its behalf. Further, if a sub-processor is employed under the processor’s prior general written authorisation, the processor must inform the controller of any changes to that authorisation, and give the controller a chance to object. A processor must ensure that its contract with a sub-processor contains (at the very least) the minimum terms relating to processing of personal data required in contracts between controllers and processors. Ideally, these terms should mirror those agreed between the controller and processor, given that if the sub-processor fails to comply with the terms of the sub-contract, the processor remains liable to the controller for any loss suffered as a result of such non-compliance.
A relevant contract must include provisions obligating the processor to assist the controller in relation to a wide range of its obligations under the GDPR including, but not limited to:
The processor’s duty to assist is limited, however, by ‘taking in to account the nature of processing and the information available to the processor’.
Processors must also assist controllers by providing them with access to their data and assisting controllers with their obligations to data subjects under the GDPR, for example by providing data to data subjects following a subject access request. Under the GDPR, data subjects are entitled to have their personal data rectified or erased. A corresponding responsibility must now be included within controller/ processor contracts requiring processors to assist controllers who are dealing with such requests for rectification or erasure of a subject’s personal data.
All personal data must be deleted or returned at the end of the contract, as decided by the controller. The typical exception applies, however, where the processor is exempt from this obligation when required to retain the data by law.
The processor must submit to audits and inspections carried out by the controller (or one of its agents) which a controller may carry out to ascertain whether the processor is processing its data in accordance with the terms of the contract.
What to do next?
Should you have any GDPR or data protection queries, please contact Kingsley Napley’s data protection team.
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Losing a loved one when you think it may be because they received poor medical care is incredibly stressful at a time when family and friends are grieving their loss. Often, people want to see a written record of the final days of their loved one and what happened to them, or they might want to go through years of records to ascertain whether there was diagnosis that may have been missed, such as cancer.
Asylum seekers often find themselves in a vulnerable position, sharing sensitive and confidential information with the Home Office to support their asylum claims. Their cooperation is required to substantiate their claim and they rely on the understanding that this information will remain confidential and, most crucially, will not be shared with the authorities of their country of nationality.
Emily Carter explores anticipated developments in the realm of data protection.
On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.
Emily Carter asks whether the proposed reforms within the Data Protection and Digital Information (No. 2) Bill (‘the Bill’) are likely to simplify the challenges of responding to Data Subject Access Requests (‘DSARs’) or whether this is an area which is only going to get more complicated and time consuming.
After many months waiting for further clarity, Emily Carter outlines what we now know about the direction of data protection reform in the UK following publication of the Data Protection and Digital Information (no. 2) Bill.
After the Government’s consultation in September 2021 and publication of the Data Protection and Digital Information Bill in July 2022, the data reform process was paused last Autumn following the country’s change in prime minister to enable ministers to consider the legislation further. Since this time, with Michele Donelan appointed as the responsible secretary of state, there have been mixed messages with respect to how significant the further amendment to the draft bill would be. In her speech at the Conservative party conference in October, Donelan stated that the GDPR would be ‘replaced’ with a business and consumer friend data protection system, raising the prospect of an entirely new approach to data protection.
The Information Commissioner’s Office (ICO) regulates every organisation which deals with personal data and official data in the UK (and sometimes overseas). Its remit extends across the public and private sector, including multinationals, SMEs, public authorities and charities.
A damning report published by His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) has found police forces to be “overwhelmed and ineffective” in relation to digital forensics. The HMICFRS found that there were more than 25,000 devices waiting to be examined – and this is without taking into account all the devices already in the system.
Following the UK’s departure from the EU, the Government wishes to reform the data protection legislation within this country in order to ‘unlock the power of data.’ For charities, does this mean the painful prospect of reworking their existing GDPR compliance regime or the promise of a lighter regulatory load?
High on the Government’s wish list for data protection reform is the reduction of legislative barriers to ‘responsible innovation,’ particularly within the field of scientific research. Due to perceived complexity and lack of clarity, it is feared that organisations either choose not to conduct research at all or rely on unnecessarily burdensome consent processes. This blog considers the likely impact of the Government’s ideas
On 20 December 2021 the ICO launched a consultation seeking views on three documents, which together demonstrate its wide-ranging powers to undertake investigatory, regulatory and enforcement action.
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.
We begin with the Government’s proposals for creating a ‘whitelist’ of legitimate interests which always provide a lawful basis for processing under the UK GDPR.
On 10 September 2021 the UK Government launched a Consultation on proposed changes to data protection law with the aim to “create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards”. The proposals are designed to build on the UK’s existing data protection regime (contained in the General Data Protection Regulation (as it applies in the UK post-Brexit) (UK GDPR) and the Data Protection Act 2018).
The General Data Protection Regulation (known to everyone as the GDPR) is probably the most famous piece of legislation to come from the EU. It was and is incredibly ambitious in its scope, and shapes the way we engage with organisations both online and in the real world. When the UK formally withdrew from the EU, GDPR became retained EU law and continued to apply as before. The government have recently announced that they want to reform data protection legislation, but substantial deregulation might be an unrealistic ambition.
It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.
Dominic Raab announced last week that the current UK lockdown would last for at least another three weeks. These restrictions are unlikely to be relaxed until a large scale plan is in place to track and restrict the spread of the virus. Part of this plan will involve the use of the NHS “contact tracing” app, which we have been told is in an advanced stage of development.
On 23 May 2020, it will be two years since the Data Protection Act 2018 came in to force. The Act was brought in to compliment and supplement GDPR, and significantly increased the ICO’s enforcement powers. In the build-up to its commencement, there was a flurry of speculation about how these new powers would be used. We now look at the how the ICO has used its enforcements powers in 2019 and highlights key considerations for businesses and organisations in 2020.
We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.
Jemma Brimblecombe
Charles Richardson
Oliver Oldman
Skip to content Home About Us Insights Services Contact Accessibility
Share insightLinkedIn X Facebook Email to a friend Print