Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.


You have appropriate procedures in place regarding the work that processors do on your behalf.

Ways to meet our expectations:

  • You have written contracts with all processors.
  • If using a processor, you assess the risk to data subjects and make sure to effectively mitigate these risks.
  • An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
  • Each contract (or other legal act) sets out details of the processing, including the:
    • subject matter of the processing;
    • duration of the processing;
    • nature and purpose of the processing;
    • type of personal data involved;
    • categories of data subject; and
    • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
  • You keep a record or log of all current processor contracts, which you update when processors change.
  • You review contracts periodically to make sure they remain up to date.
  • If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.

Can you answer yes to the following questions?

  • Are staff aware of the need for a written contract when using a processor?
  • How do they make sure the contracts are kept up to date?
  • Are the risks of using a processor mitigated effectively?
  • Do you have an appropriate approval process for contracts?
  • Is it easy for staff to find existing contracts where appropriate?