UK Controller And Processor Obligations Matrix
Obligation | Source Category | Description | Inclusion Status | Drafting Location |
|---|---|---|---|---|
Processor | ||||
Process personal data only on documented controller instructions | UK GDPR Article 28 | Processor may process data only as instructed, including transfers unless legally required. | Mandatory | Main processing clause instructions schedule transfer clause |
Both Parties | ||||
Set out processing subject matter and duration | UK GDPR Article 28 | Contract must describe what processing will occur and how long it will last. | Mandatory | Processing details schedule |
Specify nature and purpose of processing | UK GDPR Article 28 | DPA should identify why and how the processor processes the personal data. | Mandatory | Processing details schedule services description |
Identify types of personal data processed | UK GDPR Article 28 | DPA should list data types such as contact, usage, payment or HR data. | Mandatory | Processing details schedule data categories table |
Identify categories of data subjects | UK GDPR Article 28 | DPA should name affected groups, such as customers, staff or suppliers. | Mandatory | Processing details schedule data subject categories table |
Controller | ||||
Record controller obligations and rights | UK GDPR Article 28 | Contract must state the controller's rights and obligations in relation to processing. | Mandatory | Controller obligations clause governance clause |
Processor | ||||
Ensure authorised personnel are bound by confidentiality | UK GDPR Article 28 | Processor staff and authorised users must have confidentiality duties or statutory obligations. | Mandatory | Confidentiality clause personnel clause |
Implement appropriate technical and organisational measures | UK GDPR Security Requirements | Processor must apply security measures appropriate to risk and data sensitivity. | Mandatory | Security clause technical and organisational measures schedule |
Controller | ||||
Maintain controller-side security measures | UK GDPR Security Requirements | Controller must secure its systems, accounts, instructions and integration environment. | Mandatory | Controller responsibilities clause shared security schedule |
Both Parties | ||||
Use pseudonymisation and encryption where appropriate | UK GDPR Security Requirements | Consider masking, tokenisation and encryption to reduce confidentiality and misuse risks. | Context Dependent | Security schedule encryption standard key management clause |
Ensure confidentiality, integrity, availability and resilience | UK GDPR Security Requirements | Systems and services should remain secure, accurate, accessible and resilient. | Mandatory | Security measures schedule availability and resilience clause |
Processor | ||||
Restore access to data after incidents | UK GDPR Security Requirements | Processor should restore availability and access in a timely manner after incidents. | Mandatory | Business continuity clause backup and disaster recovery schedule |
Both Parties | ||||
Test and evaluate security measures regularly | UK GDPR Security Requirements | Security controls should be tested, assessed and improved on a regular basis. | Mandatory | Security testing clause audit schedule vulnerability management terms |
Processor | ||||
Do not appoint subprocessors without controller authorisation | UK GDPR Article 28 | Processor needs specific or general written authorisation before using another processor. | Mandatory | Subprocessing clause approved subprocessor schedule |
Give notice of intended subprocessor changes | UK GDPR Article 28 | Processor must notify controller of additions or replacements and allow objections. | Mandatory | Subprocessor change clause objection process |
Impose equivalent data protection terms on subprocessors | UK GDPR Article 28 | Subprocessor contract must contain the same data protection obligations in substance. | Mandatory | Subprocessor flow-down clause subcontracting clause |
Remain liable for subprocessor data protection performance | UK GDPR Article 28 | Processor remains responsible if its subprocessor fails to meet data protection obligations. | Mandatory | Subprocessor liability clause indemnity clause |
Assist with data subject rights requests | UK GDPR Article 28 | Processor must help controller respond to access, deletion, objection and similar requests. | Mandatory | Data subject rights clause assistance SLA |
Forward data subject requests to controller promptly | Contractual Best Practice | Processor should send requests to controller quickly and avoid unauthorised responses. | Usually Recommended | Rights request procedure notification timescale clause |
Assist with security and personal data breach duties | UK GDPR Article 28 | Processor must assist with Article 32 security and breach notification compliance. | Mandatory | Assistance clause breach procedure security schedule |
Notify controller after becoming aware of a personal data breach | UK GDPR Security Requirements | Processor must notify controller without undue delay after breach awareness. | Mandatory | Breach notification clause incident response schedule |
Controller | ||||
Notify ICO of notifiable personal data breaches | UK GDPR Security Requirements | Controller must notify ICO within 72 hours unless breach is unlikely to risk rights. | Mandatory | Breach responsibilities clause escalation procedure |
Communicate high-risk breaches to data subjects | UK GDPR Security Requirements | Controller must inform affected individuals where breach is likely to create high risk. | Mandatory | Breach communication clause incident response schedule |
Both Parties | ||||
Provide breach information needed for assessment and notification | UK GDPR Security Requirements | Parties should share facts, affected data, mitigation steps and likely consequences. | Mandatory | Incident reporting template breach schedule |
Processor | ||||
Assist with data protection impact assessments | UK GDPR Article 28 | Processor must help controller complete DPIAs where processing risk requires one. | Context Dependent | DPIA assistance clause compliance support schedule |
Assist with ICO prior consultation where required | UK GDPR Article 28 | Processor must help controller consult ICO where DPIA shows unmitigated high risk. | Context Dependent | Regulator consultation clause DPIA support terms |
Delete or return personal data at end of services | UK GDPR Article 28 | Processor must return or delete data unless UK law requires retention. | Mandatory | Exit clause deletion and return schedule |
Delete existing copies unless retention is legally required | UK GDPR Article 28 | Processor must remove copies after services unless law requires storage. | Mandatory | Deletion clause backup deletion terms retention schedule |
Make compliance information available for audits | UK GDPR Article 28 | Processor must provide information needed to show Article 28 compliance. | Mandatory | Audit clause compliance evidence schedule |
Allow and contribute to controller audits and inspections | UK GDPR Article 28 | Processor must permit audits by controller or an authorised auditor. | Mandatory | Audit rights clause inspection procedure |
Inform controller if an instruction infringes data protection law | UK GDPR Article 28 | Processor should alert controller where an instruction appears unlawful. | Mandatory | Instructions clause escalation process |
Comply with processor direct statutory obligations | UK GDPR Accountability Requirements | Processor must meet its own UK GDPR duties, not only contractual promises. | Mandatory | General compliance clause processor warranties |
Controller | ||||
Use only processors giving sufficient compliance guarantees | UK GDPR Accountability Requirements | Controller must choose processors able to meet UK GDPR and protect data subjects. | Mandatory | Due diligence clause onboarding procedure warranties |
Identify and maintain a lawful basis for processing | UK GDPR Accountability Requirements | Controller must ensure each processing purpose has a valid lawful basis. | Mandatory | Controller warranty processing schedule compliance clause |
Identify Article 9 condition for special category data | UK GDPR Accountability Requirements | Controller must identify an exception for health, biometric, ethnicity or similar data. | Context Dependent | Special category data clause processing schedule |
Identify authority for criminal offence data processing | Data Protection Act 2018 | Controller needs official authority or a Schedule 1 condition for offence data. | Context Dependent | Criminal offence data clause compliance schedule |
Maintain an appropriate policy document where required | Data Protection Act 2018 | Some special category and offence data conditions require a documented policy. | Context Dependent | Controller compliance warranty special data schedule |
Provide required privacy information to data subjects | UK GDPR Accountability Requirements | Controller must give individuals clear privacy information about the processing. | Mandatory | Controller obligations clause privacy notice responsibility |
Limit personal data to what is necessary | UK GDPR Accountability Requirements | Controller should ensure only necessary data is supplied for processing. | Mandatory | Controller obligations clause data scope schedule |
Keep controller-supplied personal data accurate | UK GDPR Accountability Requirements | Controller should take reasonable steps to ensure data shared with processor is accurate. | Mandatory | Controller warranties data quality clause |
Both Parties | ||||
Prevent processing for unauthorised purposes | UK GDPR Accountability Requirements | Data should be used only for the agreed processing purposes. | Mandatory | Purpose limitation clause processing schedule |
Apply agreed retention periods | UK GDPR Accountability Requirements | Personal data should not be kept longer than needed or legally required. | Mandatory | Retention schedule deletion clause exit plan |
Restrict international transfers without a valid UK transfer mechanism | UK GDPR Accountability Requirements | Transfers outside the UK need adequacy, IDTA, UK Addendum or another lawful route. | Context Dependent | International transfers clause transfer schedule IDTA or UK Addendum |
Use the UK International Data Transfer Agreement where appropriate | Contractual Best Practice | Use the ICO IDTA for certain restricted transfers from the UK. | Context Dependent | Transfer schedule IDTA attachment |
Use the UK Addendum with EU SCCs where appropriate | Contractual Best Practice | Pair EU SCCs with the UK Addendum for UK restricted transfers when suitable. | Context Dependent | Transfer schedule UK Addendum attachment |
Controller | ||||
Complete transfer risk assessments for restricted transfers | Contractual Best Practice | Assess destination law and safeguards before relying on transfer tools. | Context Dependent | Transfer due diligence clause TRA schedule |
Processor | ||||
Maintain processor records of processing activities | UK GDPR Accountability Requirements | Processor must keep required records for processing carried out for controllers. | Mandatory | Records clause compliance evidence schedule |
Controller | ||||
Maintain controller records of processing activities | UK GDPR Accountability Requirements | Controller must document purposes, categories, recipients, transfers and retention details. | Mandatory | Controller compliance clause records schedule |
Both Parties | ||||
Cooperate with the ICO on request | UK GDPR Accountability Requirements | Controllers and processors must cooperate with ICO when requested in performance of tasks. | Mandatory | Regulatory cooperation clause notice clause |
Appoint a data protection officer where required | UK GDPR Accountability Requirements | DPO is needed for certain public, monitoring or special category processing activities. | Context Dependent | Contacts clause DPO details schedule |
Appoint a UK representative where required | UK GDPR Accountability Requirements | Non-UK organisations may need a UK representative for UK-targeted processing. | Context Dependent | Regulatory contacts clause representative details schedule |
Processor | ||||
Prohibit processor independent use of personal data | Contractual Best Practice | Processor should not use data for analytics, product training or marketing unless authorised. | Usually Recommended | Use restriction clause AI and analytics clause |
Restrict use of personal data for AI model training | Contractual Best Practice | Processor should not train AI systems on controller data unless expressly agreed. | Context Dependent | AI use clause prohibited processing clause |
Both Parties | ||||
Define audit frequency, notice and cost allocation | Contractual Best Practice | Set practical limits for audits without undermining mandatory audit rights. | Usually Recommended | Audit procedure clause audit schedule |
Processor | ||||
Provide security certifications or independent assurance reports | Contractual Best Practice | Processor may evidence controls through ISO 27001, SOC 2 or similar reports. | Usually Recommended | Security assurance clause compliance evidence schedule |
Apply role-based access controls | Contractual Best Practice | Limit system access to authorised personnel with need-to-know permissions. | Usually Recommended | Technical measures schedule access control clause |
Both Parties | ||||
Use multi-factor authentication for privileged access | Contractual Best Practice | MFA reduces account compromise risk for admin and remote access. | Usually Recommended | Security schedule identity and access management controls |
Processor | ||||
Maintain access logs and security monitoring | Contractual Best Practice | Record and monitor access to detect misuse, incidents and unauthorised activity. | Usually Recommended | Logging clause monitoring controls schedule |
Maintain vulnerability and patch management | Contractual Best Practice | Identify, prioritise and remediate vulnerabilities affecting processing systems. | Usually Recommended | Security schedule vulnerability management clause |
Use secure development and change management controls | Contractual Best Practice | Apply security review, testing and approval before system changes go live. | Usually Recommended | Secure development clause change management schedule |
Maintain secure backups where appropriate | Contractual Best Practice | Backups should support recovery and be protected against unauthorised access. | Context Dependent | Backup clause disaster recovery schedule |
Securely erase or destroy personal data and media | Contractual Best Practice | Use secure deletion and disposal methods for data, devices and paper records. | Usually Recommended | Deletion clause media disposal schedule |
Both Parties | ||||
Train personnel handling personal data | Contractual Best Practice | Staff should understand confidentiality, security, breach and request handling duties. | Usually Recommended | Personnel clause training controls schedule |
Processor | ||||
Identify hosting and processing locations | Contractual Best Practice | Disclose countries where data will be hosted, accessed or supported from. | Usually Recommended | Data location schedule subprocessor schedule transfer clause |
Notify controller of legally binding disclosure requests where lawful | Contractual Best Practice | Processor should alert controller to compelled access requests unless prohibited by law. | Context Dependent | Disclosure request clause transfer safeguards schedule |
Notify controller of data protection complaints or regulator contact | Contractual Best Practice | Processor should promptly route complaints and ICO correspondence to controller. | Usually Recommended | Communications clause complaint handling procedure |
Both Parties | ||||
Allocate liability for data protection losses and claims | Contractual Best Practice | Contract should address caps, exclusions, indemnities and regulatory fine risk. | Usually Recommended | Liability clause indemnity clause limitation of liability |
Processor | ||||
Maintain appropriate cyber or professional insurance | Contractual Best Practice | Processor may need insurance covering cyber incidents, privacy claims and service failures. | Context Dependent | Insurance clause supplier risk schedule |
Both Parties | ||||
Set response times for assistance obligations | Contractual Best Practice | Define practical timeframes for rights requests, breaches, audits and DPIA support. | Usually Recommended | Assistance SLA operational schedule |
Define when assistance is included or chargeable | Contractual Best Practice | Clarify fees for extra audits, DPIAs, exports or exceptional compliance support. | Usually Recommended | Fees clause assistance schedule audit clause |
Processor | ||||
Provide data return in a usable format | Contractual Best Practice | Data return should use agreed formats to support migration and continuity. | Usually Recommended | Exit plan data return schedule migration clause |
Define delayed deletion from backups | Contractual Best Practice | Specify how long backup copies persist and how they are protected until deletion. | Usually Recommended | Backup deletion clause retention schedule |
Certify deletion or return on request | Contractual Best Practice | Processor should confirm completion of deletion, return or secure disposal. | Usually Recommended | Deletion certificate clause exit schedule |
Notify material changes affecting data protection risk | Contractual Best Practice | Processor should notify changes to systems, locations, security or processing scope. | Usually Recommended | Change control clause risk notification clause |
Both Parties | ||||
Maintain data protection and security contact points | Contractual Best Practice | Name contacts for instructions, incidents, audits, rights requests and escalations. | Usually Recommended | Notices clause contacts schedule incident playbook |
Confirm controller, processor or subprocessor roles | Contractual Best Practice | Identify roles accurately for each processing activity before using a DPA. | Usually Recommended | Roles clause processing schedule relationship clause |
Address any joint controller processing separately | UK GDPR Accountability Requirements | Joint controllers need a transparent arrangement allocating UK GDPR responsibilities. | Context Dependent | Role carve-out joint controller schedule separate arrangement |
Carve out independent controller processing | Contractual Best Practice | Separate processing where a party decides its own purposes, such as billing or compliance. | Context Dependent | Role clause independent controller carve-out |
Address law enforcement processing rules where applicable | Data Protection Act 2018 | Part 3 DPA 2018 applies to competent authority law enforcement processing. | Context Dependent | Sector-specific compliance clause law enforcement schedule |
Controller | ||||
Address public authority restrictions and duties | UK GDPR Accountability Requirements | Public authorities may need public task basis and have special DPO duties. | Context Dependent | Public sector compliance clause controller warranty |
Both Parties | ||||
Apply safeguards for children's personal data | Contractual Best Practice | Extra care is needed where services process children's data or profile children. | Context Dependent | Children's data clause safeguarding schedule DPIA terms |
Support automated decision-making compliance where relevant | UK GDPR Accountability Requirements | Relevant systems may need safeguards, human review and explanation support. | Context Dependent | Automated decisions clause AI schedule DPIA support terms |
Processor | ||||
Support data portability requests where applicable | UK GDPR Article 28 | Processor may need to export personal data in a structured usable format. | Context Dependent | Data subject rights clause export format schedule |
Implement controller instructions for rectification or erasure | UK GDPR Article 28 | Processor should correct or delete data when lawfully instructed by controller. | Mandatory | Rights assistance clause operational request schedule |
Implement restriction of processing where instructed | UK GDPR Article 28 | Processor should suspend or limit processing for affected data when instructed. | Mandatory | Rights assistance clause restriction workflow |
Support objection request handling where applicable | UK GDPR Article 28 | Processor may need to stop or adjust processing after controller decision. | Context Dependent | Rights assistance clause objection workflow |
Both Parties | ||||
Suspend disputed instructions pending clarification | Contractual Best Practice | Create a process for pausing instructions that may be unlawful or unsafe. | Usually Recommended | Instruction escalation clause dispute procedure |
Define scope of processor assistance by nature of processing | UK GDPR Article 28 | Article 28 assistance depends on processing type and available information. | Mandatory | Assistance clause service-specific schedule |
Processor | ||||
Notify controller where law requires processing outside instructions | UK GDPR Article 28 | Processor should tell controller before legally required processing unless law prohibits it. | Mandatory | Legally required processing clause disclosure requests clause |
Avoid determining purposes and means of controller processing | UK GDPR Accountability Requirements | Processor may be treated as controller if it decides its own purposes and means. | Mandatory | Role clause use restrictions controller conversion clause |
Maintain agreed data protection certifications or code commitments | UK GDPR Accountability Requirements | If relied on, codes or certifications should be maintained and evidenced. | Context Dependent | Compliance assurance clause certification schedule |
Both Parties | ||||
Document personal data breaches and remediation | UK GDPR Security Requirements | Keep records of breach facts, effects and remedial action for accountability. | Mandatory | Incident log clause breach procedure schedule |
Cooperate in breach investigation and mitigation | Contractual Best Practice | Parties should investigate, contain, remediate and preserve evidence after incidents. | Usually Recommended | Incident response schedule cooperation clause |
Protect confidential audit and security information | Contractual Best Practice | Audit evidence should be protected to avoid exposing security or customer information. | Usually Recommended | Audit confidentiality clause security evidence room terms |
Define rules for anonymised or aggregated data | Contractual Best Practice | Permit use only if data is genuinely anonymised and re-identification is restricted. | Context Dependent | Anonymised data clause analytics clause |
Processor | ||||
Prohibit re-identification of anonymised or pseudonymised data | Contractual Best Practice | Processor should not attempt re-identification unless authorised for security or support. | Usually Recommended | Anonymisation clause prohibited use clause |
Revoke personnel access when no longer needed | Contractual Best Practice | Remove access promptly when personnel change role or leave. | Usually Recommended | Access control schedule personnel offboarding clause |
Maintain physical security for processing facilities | Contractual Best Practice | Protect offices, data centres, devices and paper records from unauthorised access. | Usually Recommended | Physical security schedule premises controls |
Both Parties | ||||
Apply secure remote working controls | Contractual Best Practice | Protect remote access, devices, networks and home working environments. | Usually Recommended | Remote access clause security measures schedule |
Maintain endpoint and device security | Contractual Best Practice | Use device encryption, anti-malware, patching, locking and remote wipe where suitable. | Usually Recommended | Endpoint security schedule acceptable use controls |
Processor | ||||
Maintain network security controls | Contractual Best Practice | Use firewalls, segmentation, secure configuration and monitoring where relevant. | Usually Recommended | Network security schedule technical controls |
Both Parties | ||||
Maintain malware and ransomware protections | Contractual Best Practice | Use layered controls to prevent, detect and recover from malware attacks. | Usually Recommended | Security measures schedule incident response plan |
Processor | ||||
Test business continuity and disaster recovery plans | Contractual Best Practice | Plans should be tested so services and data can be restored during disruption. | Usually Recommended | BCDR clause resilience schedule testing reports |
Segregate controller data from other customer data where appropriate | Contractual Best Practice | Use logical or physical separation to reduce unauthorised cross-customer access. | Context Dependent | Data segregation clause cloud security schedule |
Manage third-party software component risks | Contractual Best Practice | Track, update and remediate vulnerable libraries, tools and service components. | Usually Recommended | Secure development schedule vulnerability clause |
Both Parties | ||||
Define authorised instruction methods | Contractual Best Practice | Specify whether instructions may be in contract, platform settings, tickets or email. | Usually Recommended | Instructions clause authorised users schedule |
Controller | ||||
Manage controller authorised users and permissions | Contractual Best Practice | Controller should control who can submit instructions or access the service. | Usually Recommended | Controller security responsibilities authorised users clause |
Configure processor services securely | Contractual Best Practice | Controller should use available settings to apply appropriate access and retention controls. | Context Dependent | Shared responsibility clause cloud configuration schedule |
Both Parties | ||||
Allocate cloud security shared responsibilities | Contractual Best Practice | Clarify who secures identities, data, application settings, infrastructure and networks. | Context Dependent | Shared responsibility matrix cloud security schedule |
Controller | ||||
Address cookies or tracking technologies if processor deploys them | Data Protection Act 2018 | Controller may need PECR-compliant consent and information for non-essential cookies. | Context Dependent | Tracking technology clause cookie schedule controller obligations |
Address electronic marketing processing if included in services | Data Protection Act 2018 | Marketing emails or texts may require PECR consent or soft opt-in compliance. | Context Dependent | Marketing services clause controller warranty suppression list terms |
What Must A UK Data Processing Agreement Include?
A UK data processing agreement should, at minimum, cover the mandatory processor terms required by UK GDPR Article 28: documented instructions, confidentiality, security, subprocessors, assistance with data subject rights, assistance with compliance, return or deletion of data, audit information and limits on engaging another processor. These terms should normally be in the main processing clause and a detailed processing schedule.
Who Is Responsible For Each Data Processing Obligation?
The controller remains accountable for deciding the purposes and means of processing, choosing a suitable processor and giving lawful instructions. The processor must process only on those instructions and meet the specific Article 28 duties. Some obligations, such as security, breach handling, records, international transfers and DPIA cooperation, require practical cooperation by both parties.
Which Obligations Are Context Dependent In The UK?
Some clauses are not always mandatory but are important where the facts require them. These include UK international transfer mechanisms, DPIA support, UK representative terms, special category safeguards, public authority duties, law enforcement processing issues under the Data Protection Act 2018 and sector-specific operational controls.
How Should These Obligations Be Drafted In Practice?
Use a concise main DPA for core legal obligations and place operational details in schedules. The most useful schedules usually cover processing details, technical and organisational measures, approved subprocessors, international transfers, audit process, breach notification workflow, retention and deletion, and assistance service levels.

FAQs
You Might Also Be Interested In



