Docaro

UK Controller And Processor Obligations Matrix

Created:
This matrix helps readers compare controller and processor duties under UK data protection rules, making contract drafting, compliance checks, and risk allocation easier. For related templates and guidance, visit AI Generated British Data Processing Agreement.
Obligation
Source Category
Description
Inclusion Status
Drafting Location
Processor
Process personal data only on documented controller instructions
UK GDPR Article 28
Processor may process data only as instructed, including transfers unless legally required.
Mandatory
Main processing clause
instructions schedule
transfer clause
Both Parties
Set out processing subject matter and duration
UK GDPR Article 28
Contract must describe what processing will occur and how long it will last.
Mandatory
Processing details schedule
Specify nature and purpose of processing
UK GDPR Article 28
DPA should identify why and how the processor processes the personal data.
Mandatory
Processing details schedule
services description
Identify types of personal data processed
UK GDPR Article 28
DPA should list data types such as contact, usage, payment or HR data.
Mandatory
Processing details schedule
data categories table
Identify categories of data subjects
UK GDPR Article 28
DPA should name affected groups, such as customers, staff or suppliers.
Mandatory
Processing details schedule
data subject categories table
Controller
Record controller obligations and rights
UK GDPR Article 28
Contract must state the controller's rights and obligations in relation to processing.
Mandatory
Controller obligations clause
governance clause
Processor
Ensure authorised personnel are bound by confidentiality
UK GDPR Article 28
Processor staff and authorised users must have confidentiality duties or statutory obligations.
Mandatory
Confidentiality clause
personnel clause
Implement appropriate technical and organisational measures
UK GDPR Security Requirements
Processor must apply security measures appropriate to risk and data sensitivity.
Mandatory
Security clause
technical and organisational measures schedule
Controller
Maintain controller-side security measures
UK GDPR Security Requirements
Controller must secure its systems, accounts, instructions and integration environment.
Mandatory
Controller responsibilities clause
shared security schedule
Both Parties
Use pseudonymisation and encryption where appropriate
UK GDPR Security Requirements
Consider masking, tokenisation and encryption to reduce confidentiality and misuse risks.
Context Dependent
Security schedule
encryption standard
key management clause
Ensure confidentiality, integrity, availability and resilience
UK GDPR Security Requirements
Systems and services should remain secure, accurate, accessible and resilient.
Mandatory
Security measures schedule
availability and resilience clause
Processor
Restore access to data after incidents
UK GDPR Security Requirements
Processor should restore availability and access in a timely manner after incidents.
Mandatory
Business continuity clause
backup and disaster recovery schedule
Both Parties
Test and evaluate security measures regularly
UK GDPR Security Requirements
Security controls should be tested, assessed and improved on a regular basis.
Mandatory
Security testing clause
audit schedule
vulnerability management terms
Processor
Do not appoint subprocessors without controller authorisation
UK GDPR Article 28
Processor needs specific or general written authorisation before using another processor.
Mandatory
Subprocessing clause
approved subprocessor schedule
Give notice of intended subprocessor changes
UK GDPR Article 28
Processor must notify controller of additions or replacements and allow objections.
Mandatory
Subprocessor change clause
objection process
Impose equivalent data protection terms on subprocessors
UK GDPR Article 28
Subprocessor contract must contain the same data protection obligations in substance.
Mandatory
Subprocessor flow-down clause
subcontracting clause
Remain liable for subprocessor data protection performance
UK GDPR Article 28
Processor remains responsible if its subprocessor fails to meet data protection obligations.
Mandatory
Subprocessor liability clause
indemnity clause
Assist with data subject rights requests
UK GDPR Article 28
Processor must help controller respond to access, deletion, objection and similar requests.
Mandatory
Data subject rights clause
assistance SLA
Forward data subject requests to controller promptly
Contractual Best Practice
Processor should send requests to controller quickly and avoid unauthorised responses.
Usually Recommended
Rights request procedure
notification timescale clause
Assist with security and personal data breach duties
UK GDPR Article 28
Processor must assist with Article 32 security and breach notification compliance.
Mandatory
Assistance clause
breach procedure
security schedule
Notify controller after becoming aware of a personal data breach
UK GDPR Security Requirements
Processor must notify controller without undue delay after breach awareness.
Mandatory
Breach notification clause
incident response schedule
Controller
Notify ICO of notifiable personal data breaches
UK GDPR Security Requirements
Controller must notify ICO within 72 hours unless breach is unlikely to risk rights.
Mandatory
Breach responsibilities clause
escalation procedure
Communicate high-risk breaches to data subjects
UK GDPR Security Requirements
Controller must inform affected individuals where breach is likely to create high risk.
Mandatory
Breach communication clause
incident response schedule
Both Parties
Provide breach information needed for assessment and notification
UK GDPR Security Requirements
Parties should share facts, affected data, mitigation steps and likely consequences.
Mandatory
Incident reporting template
breach schedule
Processor
Assist with data protection impact assessments
UK GDPR Article 28
Processor must help controller complete DPIAs where processing risk requires one.
Context Dependent
DPIA assistance clause
compliance support schedule
Assist with ICO prior consultation where required
UK GDPR Article 28
Processor must help controller consult ICO where DPIA shows unmitigated high risk.
Context Dependent
Regulator consultation clause
DPIA support terms
Delete or return personal data at end of services
UK GDPR Article 28
Processor must return or delete data unless UK law requires retention.
Mandatory
Exit clause
deletion and return schedule
Delete existing copies unless retention is legally required
UK GDPR Article 28
Processor must remove copies after services unless law requires storage.
Mandatory
Deletion clause
backup deletion terms
retention schedule
Make compliance information available for audits
UK GDPR Article 28
Processor must provide information needed to show Article 28 compliance.
Mandatory
Audit clause
compliance evidence schedule
Allow and contribute to controller audits and inspections
UK GDPR Article 28
Processor must permit audits by controller or an authorised auditor.
Mandatory
Audit rights clause
inspection procedure
Inform controller if an instruction infringes data protection law
UK GDPR Article 28
Processor should alert controller where an instruction appears unlawful.
Mandatory
Instructions clause
escalation process
Comply with processor direct statutory obligations
UK GDPR Accountability Requirements
Processor must meet its own UK GDPR duties, not only contractual promises.
Mandatory
General compliance clause
processor warranties
Controller
Use only processors giving sufficient compliance guarantees
UK GDPR Accountability Requirements
Controller must choose processors able to meet UK GDPR and protect data subjects.
Mandatory
Due diligence clause
onboarding procedure
warranties
Identify and maintain a lawful basis for processing
UK GDPR Accountability Requirements
Controller must ensure each processing purpose has a valid lawful basis.
Mandatory
Controller warranty
processing schedule
compliance clause
Identify Article 9 condition for special category data
UK GDPR Accountability Requirements
Controller must identify an exception for health, biometric, ethnicity or similar data.
Context Dependent
Special category data clause
processing schedule
Identify authority for criminal offence data processing
Data Protection Act 2018
Controller needs official authority or a Schedule 1 condition for offence data.
Context Dependent
Criminal offence data clause
compliance schedule
Maintain an appropriate policy document where required
Data Protection Act 2018
Some special category and offence data conditions require a documented policy.
Context Dependent
Controller compliance warranty
special data schedule
Provide required privacy information to data subjects
UK GDPR Accountability Requirements
Controller must give individuals clear privacy information about the processing.
Mandatory
Controller obligations clause
privacy notice responsibility
Limit personal data to what is necessary
UK GDPR Accountability Requirements
Controller should ensure only necessary data is supplied for processing.
Mandatory
Controller obligations clause
data scope schedule
Keep controller-supplied personal data accurate
UK GDPR Accountability Requirements
Controller should take reasonable steps to ensure data shared with processor is accurate.
Mandatory
Controller warranties
data quality clause
Both Parties
Prevent processing for unauthorised purposes
UK GDPR Accountability Requirements
Data should be used only for the agreed processing purposes.
Mandatory
Purpose limitation clause
processing schedule
Apply agreed retention periods
UK GDPR Accountability Requirements
Personal data should not be kept longer than needed or legally required.
Mandatory
Retention schedule
deletion clause
exit plan
Restrict international transfers without a valid UK transfer mechanism
UK GDPR Accountability Requirements
Transfers outside the UK need adequacy, IDTA, UK Addendum or another lawful route.
Context Dependent
International transfers clause
transfer schedule
IDTA or UK Addendum
Use the UK International Data Transfer Agreement where appropriate
Contractual Best Practice
Use the ICO IDTA for certain restricted transfers from the UK.
Context Dependent
Transfer schedule
IDTA attachment
Use the UK Addendum with EU SCCs where appropriate
Contractual Best Practice
Pair EU SCCs with the UK Addendum for UK restricted transfers when suitable.
Context Dependent
Transfer schedule
UK Addendum attachment
Controller
Complete transfer risk assessments for restricted transfers
Contractual Best Practice
Assess destination law and safeguards before relying on transfer tools.
Context Dependent
Transfer due diligence clause
TRA schedule
Processor
Maintain processor records of processing activities
UK GDPR Accountability Requirements
Processor must keep required records for processing carried out for controllers.
Mandatory
Records clause
compliance evidence schedule
Controller
Maintain controller records of processing activities
UK GDPR Accountability Requirements
Controller must document purposes, categories, recipients, transfers and retention details.
Mandatory
Controller compliance clause
records schedule
Both Parties
Cooperate with the ICO on request
UK GDPR Accountability Requirements
Controllers and processors must cooperate with ICO when requested in performance of tasks.
Mandatory
Regulatory cooperation clause
notice clause
Appoint a data protection officer where required
UK GDPR Accountability Requirements
DPO is needed for certain public, monitoring or special category processing activities.
Context Dependent
Contacts clause
DPO details schedule
Appoint a UK representative where required
UK GDPR Accountability Requirements
Non-UK organisations may need a UK representative for UK-targeted processing.
Context Dependent
Regulatory contacts clause
representative details schedule
Processor
Prohibit processor independent use of personal data
Contractual Best Practice
Processor should not use data for analytics, product training or marketing unless authorised.
Usually Recommended
Use restriction clause
AI and analytics clause
Restrict use of personal data for AI model training
Contractual Best Practice
Processor should not train AI systems on controller data unless expressly agreed.
Context Dependent
AI use clause
prohibited processing clause
Both Parties
Define audit frequency, notice and cost allocation
Contractual Best Practice
Set practical limits for audits without undermining mandatory audit rights.
Usually Recommended
Audit procedure clause
audit schedule
Processor
Provide security certifications or independent assurance reports
Contractual Best Practice
Processor may evidence controls through ISO 27001, SOC 2 or similar reports.
Usually Recommended
Security assurance clause
compliance evidence schedule
Apply role-based access controls
Contractual Best Practice
Limit system access to authorised personnel with need-to-know permissions.
Usually Recommended
Technical measures schedule
access control clause
Both Parties
Use multi-factor authentication for privileged access
Contractual Best Practice
MFA reduces account compromise risk for admin and remote access.
Usually Recommended
Security schedule
identity and access management controls
Processor
Maintain access logs and security monitoring
Contractual Best Practice
Record and monitor access to detect misuse, incidents and unauthorised activity.
Usually Recommended
Logging clause
monitoring controls schedule
Maintain vulnerability and patch management
Contractual Best Practice
Identify, prioritise and remediate vulnerabilities affecting processing systems.
Usually Recommended
Security schedule
vulnerability management clause
Use secure development and change management controls
Contractual Best Practice
Apply security review, testing and approval before system changes go live.
Usually Recommended
Secure development clause
change management schedule
Maintain secure backups where appropriate
Contractual Best Practice
Backups should support recovery and be protected against unauthorised access.
Context Dependent
Backup clause
disaster recovery schedule
Securely erase or destroy personal data and media
Contractual Best Practice
Use secure deletion and disposal methods for data, devices and paper records.
Usually Recommended
Deletion clause
media disposal schedule
Both Parties
Train personnel handling personal data
Contractual Best Practice
Staff should understand confidentiality, security, breach and request handling duties.
Usually Recommended
Personnel clause
training controls schedule
Processor
Identify hosting and processing locations
Contractual Best Practice
Disclose countries where data will be hosted, accessed or supported from.
Usually Recommended
Data location schedule
subprocessor schedule
transfer clause
Notify controller of legally binding disclosure requests where lawful
Contractual Best Practice
Processor should alert controller to compelled access requests unless prohibited by law.
Context Dependent
Disclosure request clause
transfer safeguards schedule
Notify controller of data protection complaints or regulator contact
Contractual Best Practice
Processor should promptly route complaints and ICO correspondence to controller.
Usually Recommended
Communications clause
complaint handling procedure
Both Parties
Allocate liability for data protection losses and claims
Contractual Best Practice
Contract should address caps, exclusions, indemnities and regulatory fine risk.
Usually Recommended
Liability clause
indemnity clause
limitation of liability
Processor
Maintain appropriate cyber or professional insurance
Contractual Best Practice
Processor may need insurance covering cyber incidents, privacy claims and service failures.
Context Dependent
Insurance clause
supplier risk schedule
Both Parties
Set response times for assistance obligations
Contractual Best Practice
Define practical timeframes for rights requests, breaches, audits and DPIA support.
Usually Recommended
Assistance SLA
operational schedule
Define when assistance is included or chargeable
Contractual Best Practice
Clarify fees for extra audits, DPIAs, exports or exceptional compliance support.
Usually Recommended
Fees clause
assistance schedule
audit clause
Processor
Provide data return in a usable format
Contractual Best Practice
Data return should use agreed formats to support migration and continuity.
Usually Recommended
Exit plan
data return schedule
migration clause
Define delayed deletion from backups
Contractual Best Practice
Specify how long backup copies persist and how they are protected until deletion.
Usually Recommended
Backup deletion clause
retention schedule
Certify deletion or return on request
Contractual Best Practice
Processor should confirm completion of deletion, return or secure disposal.
Usually Recommended
Deletion certificate clause
exit schedule
Notify material changes affecting data protection risk
Contractual Best Practice
Processor should notify changes to systems, locations, security or processing scope.
Usually Recommended
Change control clause
risk notification clause
Both Parties
Maintain data protection and security contact points
Contractual Best Practice
Name contacts for instructions, incidents, audits, rights requests and escalations.
Usually Recommended
Notices clause
contacts schedule
incident playbook
Confirm controller, processor or subprocessor roles
Contractual Best Practice
Identify roles accurately for each processing activity before using a DPA.
Usually Recommended
Roles clause
processing schedule
relationship clause
Address any joint controller processing separately
UK GDPR Accountability Requirements
Joint controllers need a transparent arrangement allocating UK GDPR responsibilities.
Context Dependent
Role carve-out
joint controller schedule
separate arrangement
Carve out independent controller processing
Contractual Best Practice
Separate processing where a party decides its own purposes, such as billing or compliance.
Context Dependent
Role clause
independent controller carve-out
Address law enforcement processing rules where applicable
Data Protection Act 2018
Part 3 DPA 2018 applies to competent authority law enforcement processing.
Context Dependent
Sector-specific compliance clause
law enforcement schedule
Controller
Address public authority restrictions and duties
UK GDPR Accountability Requirements
Public authorities may need public task basis and have special DPO duties.
Context Dependent
Public sector compliance clause
controller warranty
Both Parties
Apply safeguards for children's personal data
Contractual Best Practice
Extra care is needed where services process children's data or profile children.
Context Dependent
Children's data clause
safeguarding schedule
DPIA terms
Support automated decision-making compliance where relevant
UK GDPR Accountability Requirements
Relevant systems may need safeguards, human review and explanation support.
Context Dependent
Automated decisions clause
AI schedule
DPIA support terms
Processor
Support data portability requests where applicable
UK GDPR Article 28
Processor may need to export personal data in a structured usable format.
Context Dependent
Data subject rights clause
export format schedule
Implement controller instructions for rectification or erasure
UK GDPR Article 28
Processor should correct or delete data when lawfully instructed by controller.
Mandatory
Rights assistance clause
operational request schedule
Implement restriction of processing where instructed
UK GDPR Article 28
Processor should suspend or limit processing for affected data when instructed.
Mandatory
Rights assistance clause
restriction workflow
Support objection request handling where applicable
UK GDPR Article 28
Processor may need to stop or adjust processing after controller decision.
Context Dependent
Rights assistance clause
objection workflow
Both Parties
Suspend disputed instructions pending clarification
Contractual Best Practice
Create a process for pausing instructions that may be unlawful or unsafe.
Usually Recommended
Instruction escalation clause
dispute procedure
Define scope of processor assistance by nature of processing
UK GDPR Article 28
Article 28 assistance depends on processing type and available information.
Mandatory
Assistance clause
service-specific schedule
Processor
Notify controller where law requires processing outside instructions
UK GDPR Article 28
Processor should tell controller before legally required processing unless law prohibits it.
Mandatory
Legally required processing clause
disclosure requests clause
Avoid determining purposes and means of controller processing
UK GDPR Accountability Requirements
Processor may be treated as controller if it decides its own purposes and means.
Mandatory
Role clause
use restrictions
controller conversion clause
Maintain agreed data protection certifications or code commitments
UK GDPR Accountability Requirements
If relied on, codes or certifications should be maintained and evidenced.
Context Dependent
Compliance assurance clause
certification schedule
Both Parties
Document personal data breaches and remediation
UK GDPR Security Requirements
Keep records of breach facts, effects and remedial action for accountability.
Mandatory
Incident log clause
breach procedure schedule
Cooperate in breach investigation and mitigation
Contractual Best Practice
Parties should investigate, contain, remediate and preserve evidence after incidents.
Usually Recommended
Incident response schedule
cooperation clause
Protect confidential audit and security information
Contractual Best Practice
Audit evidence should be protected to avoid exposing security or customer information.
Usually Recommended
Audit confidentiality clause
security evidence room terms
Define rules for anonymised or aggregated data
Contractual Best Practice
Permit use only if data is genuinely anonymised and re-identification is restricted.
Context Dependent
Anonymised data clause
analytics clause
Processor
Prohibit re-identification of anonymised or pseudonymised data
Contractual Best Practice
Processor should not attempt re-identification unless authorised for security or support.
Usually Recommended
Anonymisation clause
prohibited use clause
Revoke personnel access when no longer needed
Contractual Best Practice
Remove access promptly when personnel change role or leave.
Usually Recommended
Access control schedule
personnel offboarding clause
Maintain physical security for processing facilities
Contractual Best Practice
Protect offices, data centres, devices and paper records from unauthorised access.
Usually Recommended
Physical security schedule
premises controls
Both Parties
Apply secure remote working controls
Contractual Best Practice
Protect remote access, devices, networks and home working environments.
Usually Recommended
Remote access clause
security measures schedule
Maintain endpoint and device security
Contractual Best Practice
Use device encryption, anti-malware, patching, locking and remote wipe where suitable.
Usually Recommended
Endpoint security schedule
acceptable use controls
Processor
Maintain network security controls
Contractual Best Practice
Use firewalls, segmentation, secure configuration and monitoring where relevant.
Usually Recommended
Network security schedule
technical controls
Both Parties
Maintain malware and ransomware protections
Contractual Best Practice
Use layered controls to prevent, detect and recover from malware attacks.
Usually Recommended
Security measures schedule
incident response plan
Processor
Test business continuity and disaster recovery plans
Contractual Best Practice
Plans should be tested so services and data can be restored during disruption.
Usually Recommended
BCDR clause
resilience schedule
testing reports
Segregate controller data from other customer data where appropriate
Contractual Best Practice
Use logical or physical separation to reduce unauthorised cross-customer access.
Context Dependent
Data segregation clause
cloud security schedule
Manage third-party software component risks
Contractual Best Practice
Track, update and remediate vulnerable libraries, tools and service components.
Usually Recommended
Secure development schedule
vulnerability clause
Both Parties
Define authorised instruction methods
Contractual Best Practice
Specify whether instructions may be in contract, platform settings, tickets or email.
Usually Recommended
Instructions clause
authorised users schedule
Controller
Manage controller authorised users and permissions
Contractual Best Practice
Controller should control who can submit instructions or access the service.
Usually Recommended
Controller security responsibilities
authorised users clause
Configure processor services securely
Contractual Best Practice
Controller should use available settings to apply appropriate access and retention controls.
Context Dependent
Shared responsibility clause
cloud configuration schedule
Both Parties
Allocate cloud security shared responsibilities
Contractual Best Practice
Clarify who secures identities, data, application settings, infrastructure and networks.
Context Dependent
Shared responsibility matrix
cloud security schedule
Controller
Address cookies or tracking technologies if processor deploys them
Data Protection Act 2018
Controller may need PECR-compliant consent and information for non-essential cookies.
Context Dependent
Tracking technology clause
cookie schedule
controller obligations
Address electronic marketing processing if included in services
Data Protection Act 2018
Marketing emails or texts may require PECR consent or soft opt-in compliance.
Context Dependent
Marketing services clause
controller warranty
suppression list terms

What Must A UK Data Processing Agreement Include?

A UK data processing agreement should, at minimum, cover the mandatory processor terms required by UK GDPR Article 28: documented instructions, confidentiality, security, subprocessors, assistance with data subject rights, assistance with compliance, return or deletion of data, audit information and limits on engaging another processor. These terms should normally be in the main processing clause and a detailed processing schedule.

Who Is Responsible For Each Data Processing Obligation?

The controller remains accountable for deciding the purposes and means of processing, choosing a suitable processor and giving lawful instructions. The processor must process only on those instructions and meet the specific Article 28 duties. Some obligations, such as security, breach handling, records, international transfers and DPIA cooperation, require practical cooperation by both parties.

Which Obligations Are Context Dependent In The UK?

Some clauses are not always mandatory but are important where the facts require them. These include UK international transfer mechanisms, DPIA support, UK representative terms, special category safeguards, public authority duties, law enforcement processing issues under the Data Protection Act 2018 and sector-specific operational controls.

How Should These Obligations Be Drafted In Practice?

Use a concise main DPA for core legal obligations and place operational details in schedules. The most useful schedules usually cover processing details, technical and organisational measures, approved subprocessors, international transfers, audit process, breach notification workflow, retention and deletion, and assistance service levels.

Controller and Processor Obligations Matrix
Want to Generate Your own Data Processing Agreement?
Docaro AI can help you write your own Data Processing Agreement for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

It is a structured reference table comparing the key duties of controllers and processors under the UK GDPR and Data Protection Act 2018. It helps users understand which party is responsible for specific compliance tasks.
Show All FAQs

You Might Also Be Interested In

UK Data Processing Agreement Clause Types
Explore UK data processing agreement clause types for compliance, risk management, and clearer contract drafting.
Personal Data Categories for Processing Schedules
UK personal data categories for processing schedules to support compliant drafting, risk review, and data processing agreements.
Learn when a Data Processing Agreement is needed in the United Kingdom and how a simple flowchart can guide your compliance steps.
Controller or Processor Decision Tree for Data Processing Agreements in the United Kingdom
United Kingdom guide to deciding controller or processor roles for clear, compliant Data Processing Agreements under UK GDPR.
What Clauses Should a Data Processing Agreement Include in the United Kingdom?
Learn what clauses a Data Processing Agreement in the United Kingdom should include for UK GDPR compliance and risk management.

References and Information Sources