What must a contract between a controller and a processor include under GDPR?
Key points
Whenever a controller uses a processor, there must be a written contract (or other legal act) in place between them.
The contract is important because it specifies the parties responsibilities and liabilities.
The GDPR provides what needs to be included in the contract.
If a processor uses another organization (i.e. a sub-processor) to assist in its processing of personal data for a controller, it must have a written contract in place with that sub-processor.
Whenever a controller uses a processor to process personal data, a written contract needs to be in place between the parties. Similarly, if a processor uses another organization (i.e. a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor and the controller needs to consent to the transfer through a specific or a general authorization.
Under Article 28 of GDPR:
Article 28: Processors
1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing…
