Why Data Processing Agreements with suppliers matter

February 2025

Controller to processor contractual terms

Supply-chain data breaches have become all too common. If one of your suppliers (service providers) suffers a breach or other privacy violation, the data protection clauses in contractual terms could suddenly become very important.

GDPR (and it’s UK GDPR spin-off) sets out strict contractual requirements for when an organisation utilises the services of another organisation which will handle personal data on its behalf – including technology providers. These contractual terms are designed to protect all parties; the individuals whose data is processed, the (controller) organisation and their supplier (processor).

Establishing the relationship

First, it’s important to clearly establish what the relationship is between your organisation and the third party. Are both parties are acting as separate or joint controllers? Or is the supplier acting as your processor?

This is not always easy to determine. The lines can become blurred when a third party in some situations is acting as a processor, but at other times as a controller – either using the data for their own purposes, or for jointly shared purposes (i.e. joint controllers). Controller or processor; what are we? 

Who’s accountable?

Prior to the GDPR being implemented in 2018, accountability rested almost entirely with the controller, who was liable if things went wrong. Post GDPR, the controller and processor could both or solely be held accountable, and liable for compensating any damages, either material or non-material, suffered by individuals.

What obligations does each party have?

While the majority of data protection compliance obligations rest with controllers, processors also have their own accountabilities. These include, but are not limited to, being accountable for any sub-contractors (aka ‘sub processors’) they appoint which process the controller data, any international data transfers and keeping adequate records of their processing activities.

Processors are also required to assist the controller with their obligations. For example, in the event of a data breach, handling privacy rights requests and conducting Data Protection Impact Assessments.

What Controller-Processor contracts need to cover

The requirements an organisation needs to meet when utilising the services of processors are set out in Article 28, GDPR. This applies when suppliers are:

processing personal data on behalf of the organisation (e.g. processing the organisation’s employee records, customer data or another category of personal data;
acting solely under the instructions of your organisation; and
NOT using the personal data for their own business purposes.

Data protection legislation makes it very clear this arrangement must be covered by a binding agreement and there are specific provisions which must be included.

The specific data protection provisions are often set out separately to other provisions, in a Data Processing Agreement (DPA) or Addendum. Alternatively, they may be included within the main agreement. So if there’s no adequate data protection section in the main agreement, look for a DPA or Addendum! These should include the following aspects.

1. Technical and Organisational Measures (TOMs)

A processor needs to provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of GDPR and ensure the protection of individuals’ rights. Good practice would be to include a summary of key information security measures within the contractual terms.

It’s advisable as part of the due diligence process, prior to entering into a contract, to conduct data protection and information security assessments, where relevant, to gain suitable oversight and assurances from suppliers that personal data will be properly protected. In practice its unlikely to be feasible to carry out such due diligence on all suppliers, so you may wish to focus efforts on those which handle sensitive data or types of processing which involve higher levels of risk.

2. Appointment of sub-processors

A processor must not engage other processors (often referred to as ‘sub-processors’) to conduct processing of the controller’s personal data without the authorisation of the controller. The processor also needs to inform the controller of any intended material changes concerning additional/replacement sub processors. The controller must be given the opportunity to object to such changes.

A contract should therefore provide details of any sub-processors which will be used to handle the controller’s data. Updates should be provided when this list changes. In our experience, well-established suppliers will often just provide a link to view their sub-processors and may put the onus on the organisation their contracting with to check for updates. Something to watch out for.

Processors need to be aware they are accountable for the actions of their sub-processors. It is specifically stated that the same obligations as set out in the contract between the controller and processor shall be imposed on another (sub) processor by way of contract or other legal act.

Where a sub-processor fails to fulfil its data protection obligations, the processor up the chain may become accountable and liable to the controller for the performance of the sub-processor’s obligations. Processors are therefore responsible to conducting due diligence of any sub-processors they use.

This point really illustrates how important it is to clearly establish controller > processor > sub-processor supply chains and make sure the nature of the relationship between parties is clear in contractual terms.

3. Further contractual requirements

A contract (or other legal act) between a controller and processor must set out the following:

Types of personal data the processor will be processing on behalf of the controller (e.g. name, email address, telephone number, bank account number, date of birth – including any special category data)
Categories of data subject (e.g. employees, patients, customers, students, minors)
Nature and purpose of processing activities
Duration of processing (i.e. the term of the contract)

Terms must also include:

a) Rights and duties of each party, e.g. the processors commitment not to use the controller’s personal data for any other purpose than for providing the agreed service(s).

b) Instructions from the controller – The agreement should include details of what the processor is permitted to do with the personal data it is provided. In practice, this may often be set out by the supplier (processor) and often may be provided separately to the main agreement – particularly if there are multiple workstreams or project-based activities. But the controller should check and agree that these accurately represent their instructions, so the scope of data processing is clear.

c) International data transfers – If relevant, the agreement should include details and provisions for any transfer of personal data to a third country, whether this be to the processor itself or any sub-processors used. International Data Transfers Guide.

d) Duty of confidentiality – There must be a confidentiality clause which commits the processor to ensuring the people authorised to access the controller’s personal data have committed themselves to a duty of confidentiality or are under a statutory obligation of confidentiality.

e) Data subject’s rights – The processor must commit to assist the controller, where applicable, with the fulfilment of data subject’s rights, such as Subject Access Requests, the right to erasure, the right to object to processing, etc.

f) Assistance with controller’s compliance – the agreement should set out that, as and when required, the processor will assist the controller with:

Security of processing
Conducting Data Protection Impact Assessments (DPIA), should this be required
Prompt notification of any personal data breaches affecting controller data. Often the terms will stipulate the processor must inform the controller about any data breach affecting the controller’s personal data ‘without undue delay’ or will have a specific timeframe, for example, within 24/48 hours. This could become vital so that the controller can meet its reporting deadline of 72 hours.

g) Return or destruction of the data – the agreement should stipulate what happens to the controller’s personal data at the end of the contract term. The law states that, at the choice of the controller, all personal data must be returned or destroyed.

h) Audits and inspections – the agreement should set out that the processor agrees to make available all information necessary to demonstrate compliance with Article 28 and will allow for, and contribute towards audits, including inspections, by the controller or an authorised auditor.

What might be the consequences of getting contracts wrong?

It’s crucial contracts relating to data processing include all the appropriate terms to make sure that individuals are properly protected, and also to make sure the accountabilities and liabilities of each party are clearly agreed should a data breach or other violation of data protection law occur. As GDPR states:

‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.’ (Article 82)

What can we do when contractual terms are non-negotiable?

Size matters! Established suppliers such as big tech providers will often have their own standard Data Processing Agreements and offer little or no room for negotiation. It’s sometimes a case of ‘take it or leave it’. In this situation, organisations will need to take a balanced approach, weighing up the necessity of utilising the services with the contractual terms provided, and decide whether these are sufficient.
Conversely, big established controllers will often be in a position to dictate their terms to smaller suppliers.

However, it really is wise to check Data Processing Agreements, or data protection clauses within a main contract. It’s worth clicking on the link to check the sub-processors a supplier uses. All of this will inform your decisions. If you don’t check, you may be unaware of some underlying risks.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.