Processor and Controller Agreement

As companies increasingly rely on the processing of personal data, it is important for businesses to understand the roles of processors and controllers, and the agreements that govern their relationship. In this article, we will explore the basics of processor and controller agreement, and the steps companies can take to ensure compliance with data protection laws.

What is a Processor and Controller?

According to the General Data Protection Regulation (GDPR), a processor is a third party that processes personal data on behalf of a controller. This means that processors are responsible for carrying out specific tasks related to data processing, such as hosting data, managing email marketing campaigns, or providing cloud computing services. Controllers, on the other hand, are the entities that determine the purposes and means of processing personal data. In other words, controllers decide what data to collect, how it will be processed, and for what purposes.

The Processor and Controller Agreement

Under the GDPR, every business that uses processors must enter into a written agreement that defines the purpose, duration, nature, and scope of the processing activities. This agreement, known as a controller/processor agreement (CPA), ensures that processors and controllers are fully aware of their respective responsibilities and obligations.

The CPA must include specific details such as the type of data being processed, the duration of the processing, the security measures in place, and the procedures for data breach notification. It is important to note that the GDPR places strict liability on both processors and controllers, meaning that they can be held accountable for any violations of data protection laws.

Steps to Ensure Compliance

To ensure compliance with data protection laws, companies need to take several steps when drafting and implementing their CPA.

1. Identify all third-party processors: The first step is to identify all the third-party processors with whom the company shares personal data. This includes any external suppliers, service providers, or contractors.

2. Assess the risks: The company must assess the risks associated with each processor and ensure that they have adequate security measures in place to protect personal data.

3. Review and negotiate the CPA: The company should review and negotiate the CPA to ensure that it meets the requirements of the GDPR and provides adequate protection for personal data.

4. Train employees: The company must ensure that all employees who handle personal data are trained on the requirements of the GDPR and the company’s data protection policies.

5. Monitor compliance: The company should monitor the compliance of all processors with the terms of the CPA, and take appropriate action if there are any breaches.


In conclusion, the relationship between processors and controllers is an important one that must be governed by a written agreement that meets the requirements of the GDPR. The CPA ensures that both parties are aware of their responsibilities and obligations, and that personal data is protected. Companies must take appropriate steps to identify and assess the risks associated with processors, review and negotiate the CPA, train employees, and monitor compliance to ensure that they are compliant with data protection laws.