The UK GDPR has increased the obligations on both controllers and processors. One obligation is to enter into a legally binding contract governing the processing of personal data when a processor (service provider) is commissioned to process personal data on behalf of the controller (the client).

The Data Processing Agreement specifies the rights and obligations of the controller and the processor as well as sub-processors, if applicable. In this way, it is easier to meet the accountability and joint-liability requirements of the UK GDPR.

The agreement for processing on behalf of a controller ensures that all parties involved properly process personal data; it establishes the primary requirements for the processor to adhere to prior to processing data on behalf of the controller. Thus, among other stipulations, the contract guarantees that the processor only processes the data entrusted to him/her upon the instructions of the controller.

Above all, the processor is obligated to protect the data to an adequate extent. In order to ensure that this level of data protection is actually provided by the processor, the controller is granted auditory rights in the contract.

The data protection agreement has to be adapted to the respective processors and their functions. An important component of the contract is an appendix that details the technical and organizational measures with which the processor guarantees an adequate data protection and information security standard.