Processors
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Processors
You have appropriate procedures in place regarding the work that processors do on your behalf.
Ways to meet our expectations:
- You have written contracts with all processors.
- If using a processor, you assess the risk to data subjects and make sure to effectively mitigate these risks.
- An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
- Each contract (or other legal act) sets out details of the processing, including the:
- subject matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- type of personal data involved;
- categories of data subject; and
- controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
- You keep a record or log of all current processor contracts, which you update when processors change.
- You review contracts periodically to make sure they remain up to date.
- If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.
Can you answer yes to the following questions?
- Are staff aware of the need for a written contract when using a processor?
- How do they make sure the contracts are kept up to date?
- Are the risks of using a processor mitigated effectively?
- Do you have an appropriate approval process for contracts?
- Is it easy for staff to find existing contracts where appropriate?