The UK General Data Protection (UK GDPR) sets out strict rules around data sharing. However, businesses share personal data with third-party suppliers regularly, so suppliers can deliver services to them.
When a data controller shares personal data with a third-party data processor (such as a supplier), the parties need to enter a set of mandatory data processing terms. These terms are prescribed under Article 28 of the UK GDPR. The terms are often referred to as ‘controller to processor agreements’ and either form part of the relevant services agreement, or a separate data processing agreement (DPA).
If, as a controller, you share personal data with third party suppliers who will process personal data on your behalf, you will need a controller to processor agreement.
When data controllers and processors seek to enter into controller to processor agreements, their terms are often heavily negotiated. The parties need to ensure that their agreements are UK GDPR compliant and protect their best interests. As such, there is a balance to be struck between complying with the law and being pragmatic enough to achieve workable commercial terms for both parties. In practice, this can be quite challenging for businesses.
In this practical guide, we will explore the key issues around negotiating controller to processor agreements, highlight the provisions which are most often negotiated and provide best practice tips for successful negotiations. If you would like assistance with reviewing or negotiating data processing agreements, our experienced data protection lawyers are here to help.
Contents:
- What is a controller to processor agreement and when is it required?
- Is the supplier a processor?
- Are controller to processor agreements mandatory?
- What terms must a controller to processor agreement include?
- What should we consider before negotiating a controller to processor agreement?
- What terms are commonly negotiated in a controller to processor agreement?
- What are some practical strategies to negotiate controller to processor agreements successfully?
- Summary
What is a controller to processor agreement and when is it required?
A controller to processor agreement is a legally binding document that describes a data sharing arrangement between a data controller and a data processor.
When a data controller uses a data processor, both parties are required to enter into a written agreement (or another legal act) under the UK GDPR. The purpose of this agreement is to ensure that the personal data being shared is protected and Article 28 of the UK GDPR sets out several mandatory terms which the agreement must include.
- A data controller is the person or organisation deciding how and why to collect and use personal data.
- In contrast, a data processor is a separate person or organisation who processes personal data on behalf of the controller and as per the controller’s instructions.
See our guide ‘What Is A Data Processing Agreement?’ for further background on what a controller to processor agreement is and when it is required.
Is the supplier a processor?
Where a controller engages a data processor (for example, typically a supplier of services) the parties will need to sign a controller to processor agreement. The required terms can either be included in a services agreement between the parties, or a separate data processing agreement (DPA).
As data controllers cannot carry out all business activities themselves, it is common to outsource certain responsibilities to third-party suppliers. Those suppliers often carry out certain data processing activities, following the strict instructions of the controller customer. Examples of data processor suppliers include website hosts, payroll providers, HR and CRM system suppliers and suppliers of software.
You should not, however, assume that all third-party suppliers are data processors. It is vital to understand what role your supplier plays in the data processing arrangement and determine whether the supplier will act as a data processor. In practice, this can be difficult to determine – for example, if the supplier makes any decisions around how your company’s personal data is used.
If you require advice on this and whether you need a controller and processor agreement in place, you can work with a data protection law team who will guide you on this and what agreement is necessary. It is critical to get this right and enter into the correct agreements from the outset, before you begin to share personal data with third parties.
Are controller to processor agreements mandatory?
A controller to processor agreement is not optional – it is a mandatory requirement, and you could face consequences for failing to have one in place, including heavy fines. As such, controller to processor agreements should be top priority for businesses sharing personal data in a controller to processor arrangement.
This is equally important for businesses acting as controllers and processors, as both are subject to this legal requirement. For more information, please see our article explaining when you need a controller to processor agreement.
What terms must a controller to processor agreement include?
Article 28 of the UK GDPR sets several clauses which controller to processor agreements must contain. For example, a processor must agree to obligations regarding:
- Only processing personal data as per the instructions of the controller.
- Keeping personal data confidential and putting in place security measures to secure it.
- Not engaging third party sub-processors without authorisation from the controller.
- Assisting the controller with certain UK GDPR requirements and allowing for audits and inspections.
- Deleting or returning personal data at the end of the relevant contract.
Additionally, the agreement must document specific details about the data processing activities, including the types of personal data, categories of data subjects and nature and duration of processing.
See our guide ‘What Is A Data Processing Agreement?’ for further information of the terms which a controller to processor agreement should include.
When reviewing a controller to processor agreement, you must ensure that all the mandatory Article 28 UK GDPR clauses are included and are not diluted in any respect. Otherwise, you risk your agreement not being UK GDPR compliant.
Despite certain terms being mandatory, there is still plenty of room for negotiation in controller to processor agreements. Controllers are often likely to push for further protection and impose more extensive obligations on processors. The Article 28 UK GDPR terms are minimum and still afford leeway for businesses to negotiate provisions to protect their best interests.
What should we consider before negotiating a controller to processor agreement?
There are certain preliminary, practical points which you should carefully consider before negotiating the terms of a controller to processor agreement. These points will influence your approach to negotiations and how far you should push to protect your interests.
Data controller considerations
Some of the key points to consider as a data controller include the following:
- Consider which types of data the supplier will process as part of their services. Is there a large volume of data, and is that data sensitive or does it contain any special category data? Will the data remain in the United Kingdom, or will it be sent to or accessed in overseas countries? Will any group company personal data be shared?
The level of risk and the length of data processing should determine your approach to negotiations. For example, a long-term project involving high volumes of sensitive information will require more time and negotiation efforts than a small, single project involving minimal data.
- Consider whether you will contract on the supplier’s data processing terms or present your own terms. This will often come down to how much negotiating power you have. For example, large service providers such as Amazon have their own data processing terms and will almost certainly reject any customer terms.
If your project is very low risk, you may decide that a simple and basic set of data processing terms in your services agreement suffices. However, larger and more high-risk projects may warrant a separate DPA with a comprehensive set of robust data processing terms, which cover more provisions than the terms mandated under Article 28 of the UK GDPR.
- Through due diligence on the supplier, you may find that they have strong data security in place and a track record of keeping personal data secure. As such, you may wish to tailor your approach to negotiations accordingly. If a supplier has an excellent reputation for safeguarding customer data and strong security credentials, you may be more willing to trust them with your personal data and not feel the need to negotiate onerous terms with them.
- You should also consider a commercial strategy, rather than simply focusing on legal issues. As a customer, you may really want to work with the supplier and need their services. For example, the supplier may offer you good fees or a bespoke service tailored to your business needs. As such, you may wish to consider taking a reasonable approach to get the deal over the line commercially, rather than starting off on the wrong foot with acrimonious negotiations.
- You should also consider your budget. For example, it is unlikely to be cost-effective to attempt to heavily negotiate standard processing terms with a large supplier of services, who may simply reject any amendments you propose.
These initial considerations will impact how you approach negotiating controller to processor agreements. This will not be a one-size-fits-all approach and may vary depending on the type of supplier and the type of data involved under the relevant contract.
Data processor considerations
As a supplier of services processing personal data for customers, you should also adopt a strategic approach to negotiating controller to processor agreements.
You may want to push for a customer to sign your own data processing terms or DPA, however you should try to be open to what a customer’s concerns might be. Think about what possible additional assurances you could offer to give your customer comfort, whilst not agreeing to terms you know you will struggle to comply with in practice.
Again, the risk of the data in question and the length and the value of the project will be likely to impact your overall strategy and approach to negotiations.
It is vital to always review the terms proposed by a customer very carefully and ensure you can deliver what the customer requests before agreeing to do so.
What terms are commonly negotiated in a controller to processor agreement?
There are various provisions which parties tend to negotiate in controller to processor agreements.
Some of the most heavily negotiated provisions are explored below.
- Liability and indemnities
The UK GDPR does not prescribe what liability terms should be in place between controllers and processors. As such, this is one of the most heavily negotiated part of controller to processor agreements. The parties often negotiate to decide how liability should be apportioned between them.
Controllers are accountable and responsible for ensuring that processing is carried out in compliance with the UK GDPR rules. Controllers will be more likely to be exposed to claims and can be held liable for various consequences if data is misused. However, the UK GDPR also places obligations on processors, who can also be held liable in certain circumstances. Processors will also be concerned about the controller complying with UK GDPR, for example – they will want assurance that the controller has the appropriate consents or notices in place to allow personal data to be transferred to them.
Controllers will be particularly concerned about ensuring they can recover any losses they suffer from a processor. As such, a contractual indemnity (an obligation to compensate the controller for its losses on a pound for pound basis) is often a request in negotiations. A controller will also want to ensure that it can make certain claims against the processor, for example claims allowing the controller to have recourse against the processor for loss of data resulting from a data breach.
Pre GDPR, suppliers would accept unlimited liability. However, post GDPR, there is a trend towards suppliers now limiting and capping their liability for data protection breaches. A supplier is highly unlikely to accept unlimited liability for data protection breaches. It is far more common for parties to negotiate a higher cap on liability for data protection law losses.
When considering liability, you should consider what the risk to personal data is for the project and what could potentially go wrong. As a controller, it is also important to check if the supplier has cyber insurance in place, to back up the liability provisions you negotiate.
Negotiations on liability will often come down to bargaining power. Very large suppliers such as Microsoft are extremely unlikely to negotiate these terms, but a small supplier looking to secure business may be more willing to negotiate liability clauses which a controller customer is comfortable with. Otherwise, there is a risk that the controller could go to a different supplier.
Ultimately, the parties need to come to a reasonable compromise position over the allocation of liability. This will vary from contract to contract. - Security Measures
The UK GDPR is not prescriptive about what exact security measures data processors should have in place. However, controller customers will often want a supplier to demonstrate appropriate security measures and agree to maintain those measures throughout the contract term.
Often, controllers will try to impose specific security standards on their processors – and sometimes quite extensive ones. As such, controllers are likely to ask processors to include various data security measures in their agreements. Processors may push back on the basis that the controller’s requests do not reflect the actual security measures they have in place.
Therefore, the security measures to be in the agreement are often heavily negotiated. This will often come down to how far a processor can assure a controller that they have appropriate security to keep the controller’s data secure. As a processor, you should be prepared to answer a customer’s questions about your security measures and commitments as a business – this will form a key part of the customer’s supplier due diligence. - Sub-processors
Processors need prior authorisation from controllers before they can appoint further third-party sub processors. Often, processors will insist upon having general authorisation to appoint subprocessors from time to time. However, controllers will want control over which subprocessors are appointed and a clear and reasonable timeframe to reject the appointment of any subprocessors. Controllers will also often want remedies if they disagree with the appointment of a new subprocessor, such as the right to terminate the agreement. It is important to carefully discuss and negotiate the logistics of how this will work in practice under your agreement. - Costs
Whilst a processor is obliged to assist a controller with complying with certain UK GDPR obligations under their contract, it is common for the parties to debate who will pay the costs. A processor could incur huge costs if every controller asked them to pay for their assistance.
In addition to the above, other heavily negotiated points include:
- The extent of the controller’s audit rights over the data processor – for example, which audit rights they have, how often audits can be carried out, whether sub-processors can be audited and who pays the costs.
- Provisions around international data transfers of the controller’s data to countries outside of the United Kingdom.
- The specific timeframes for notification of personal data breaches. Controllers are likely to push for particular time limits to notify them of breaches, such as immediately.
As highlighted above, agreeing controller to processor agreements is not straightforward and the parties will often explore several key areas as part of their negotiations.
What are some practical strategies to negotiate controller to processor agreements successfully?
There are various practical considerations to explore when negotiating controller to processor agreements.
As part of your strategy, you should consider the following:
- Understand the types of personal data to be processed under the contract and its value. Consider the risks of what could go wrong if that data is compromised or misused.
- Know your baseline position, what you need from the counterparty and what you are willing to compromise on. To successfully negotiate controller to processor agreements, you should think about how the relationship between the parties will work in practice and be willing to be flexible. If you are a controller, for example, consider whether you really need an indemnity from the supplier to get your deal over the line.
- Remember that you need to balance data protection compliance and security with the ability to do business with processors, in order to run your business. A balance must be struck between data privacy and security and accessibility and usability. Overly onerous and stringent requirements on data processors may become too complicated and cause concerns.
Whilst you can bring several legal arguments to the negotiation table either as a controller or processor, think practically and commercially.
As a controller you should not aim to create a contract that is so overly onerous that the supplier will not be able to comply with it and will refuse to do business with you.
As a supplier, you should consider making sensible allowances to keep your controller customer happy – for example, by offering them comfort on critical issues such as liability, which is likely to be their biggest concern. In practice, adopting a ‘take it or leave it approach’ may not help you win customer trust. - Overall, both parties should work together to achieve a reasonable compromise and listen to each other’s concerns. Whilst controllers often demand very high standards of processors, a balance needs to be struck so that each party is comfortable with the agreement. Ultimately, the parties will need to reach a resolution in order to be able to do business with each other.
Further, protracted negotiations can cause delays and can incur significant costs. In the worst case, a negotiation approach which is too strict or onerous can even ‘kill the deal’ and lead to loss of business. As such, taking a risk based and pragmatic approach may help businesses successfully negotiate controller to processor agreements more easily and faster.
Summary
Controller to processor agreements are vital documents for UK GDPR compliance, setting out the rights and obligations of the parties in data processing relationships. These agreements have been heavily negotiated since the GDPR came into force in 2018 and increased the risk around data processing for both controllers and processors.
Whilst Article 28 of the UK GDPR sets out mandatory standard terms, various other key issues need to be carefully considered and negotiated between the parties.
Each controller to processor agreement should be considered on a case-by-case basis, depending on the risks of the processing involved. Data processors are unlikely to accept highly onerous terms, which are disproportionate to the risks of the data being processed.
When negotiating a controller to processor agreement, you should carefully review all terms proposed and ensure you understand them and what is expected of you. If not, you could fall in breach of your contract and the other party could have various legal remedies against you.
Overall, the parties negotiating controller to processor agreements should take a commercial and pragmatic approach. The end goal is to reach an agreed set of terms and start to do business together. You are far more likely to achieve this by being reasonable and open to compromise and adopting a collaborative approach.
