Engaging a Data Processor


A Data Processor is the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.   

A Data Processor is usually engaged as an outsourced provider of a business function. For example, a Data Controller may engage a payroll provider as it does not have an in-house payroll team. The payroll provider processes payroll information to fulfill payroll functions on the Data Controller’s instruction and is therefore a Data Processor.  


There are many benefits for a Data Controller looking to outsource a business function to a third-party Data Processor including cost cutting, the ability to focus on core business functions and the potential to fill a skills gap.  

However, any Data Processor chosen has a significant impact on the Data Controller’s core compliance functions and therefore choosing a Data Processor that provides sufficient guarantees can improve the Data Controllers overall data protection compliance position which will ultimately build trust with Data Subjects (the individuals whose data is being processed).  

Ensuring appropriate due diligence has been undertaken prior to the engagement of a Data Processor to ensure they are providing “sufficient guarantees” (including the completion of a Data Protection Impact Assessment) also puts the Data Controller in an accountable and defensible position should a processor-led personal data breach occur that requires the notification the Information Commissioner’s Office (ICO) or the supervisory authority of a different member state.  


Article 28 of the General Data Protection Regulation (GDPR) prescribes the mandatory terms that must be stipulated in a contract or legal act between a Data Processor and a Data Controller. These terms are:  

The processor:  

  1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; 
  1. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 
  1. takes all measures required pursuant to?GDPR Article 32 (Security of processing); 
  1. respects the conditions referred to in paragraphs 2 and 4 of GDPR Article 28 for engaging another processor (a sub processor)  
  1. taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights; 
  1. assists the controller in ensuring compliance with the obligations pursuant to?GDPR Articles 32?to?36?taking into account the nature of processing and the information available to the processor; 
  1. at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; 
  1. makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. 

When a company engages a Data Processor, they are trusting them to protect valuable information assets, personal data and the privacy rights of Data Subjects.  

Don’t trust your gut – take the Data Protection by Design and Default approach by doing your due diligence and letting a data processor earn trust by agreeing to the correct mandatory contractual terms and outlining their appropriate security measures prior to their engagement.  


For a confidential conversation about the way your organisation engages Data Processors, please contact us by calling +44(0) 800 999 5550 or email [email protected]