ICO GDPR guidance- Contracts and liabilities between Controllers and Processors

Document Information

GSC Classification OFFICIAL
Access Policy Open
Reference bps07834-0000-00
Document Status Review Status
Primary Classification
Author Organisation Information Commissioner's Office
Sponsor OrganisationNot Known
Trustee NPTC Standards Working Group, trustee@standards.police.uk

Copyright Notice Copyright (c) 2016 National Police Technology Council (NPTC) group and the persons identified as the document authors. All rights reserved.


These pages sit alongside our Overview of the GDPR and provide more detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR. Under the GDPR, when a controller uses a processor it needs to have a written contract (or other legal act) in place to evidence and govern their working relationship. If you are a controller, this guidance will help you to understand what needs to be inc luded in that contract and why. It will also help processors to understand their responsibilities and liability. The guidance sets out how the ICO interprets the GDPR, and the general recommended approach to compliance and good practice.


The usage scenarios for bps07834-0000-00 have not been documented yet.

Normative References

bps07834-0000-00 link




Obsoleted By



We’d love you to discuss this item but please be aware that these discussions are publicly accessible.