Data Processor Agreement vs Data Controller Agreement
Last updated: February 2025
Quick Comparison
| Aspect | Data Processor Agreement | Data Controller Agreement |
|---|---|---|
| Relationship | Controller instructs processor; hierarchical | Controllers are independent or joint; peer relationship |
| Legal requirement | Mandatory under UK GDPR Article 28 | Good practice; mandatory for joint controllers under Article 26 |
| Purpose determination | Processor has no independent purpose | Each controller determines their own purpose |
| Liability | Controller primarily liable; processor liable for own breaches | Each controller independently liable for their processing |
| Mandatory clauses | Specific clauses required by Article 28(3) | No prescribed clauses, but transparency obligations apply |
What Is a Data Processor Agreement?
A mandatory contract under UK GDPR Article 28 governing how a data processor handles personal data on behalf of a data controller.
Key Features
- • Required by law under UK GDPR Article 28
- • Processor acts only on controller's documented instructions
- • Must include specific mandatory clauses prescribed by GDPR
- • Processor has no independent purpose for the data
Best For
- • Outsourcing data processing to cloud providers or SaaS platforms
- • Engaging payroll providers, email service providers, or hosting companies
- • Any arrangement where a third party processes personal data on your behalf
What Is a Data Controller Agreement?
An agreement between two or more data controllers who share personal data, each determining their own purposes and means of processing.
Key Features
- • Each party independently determines purposes of processing
- • Often called a data sharing agreement
- • Must have a lawful basis for sharing (e.g., legitimate interests, consent)
- • Each controller is independently responsible for their own compliance
Best For
- • Sharing data between business partners for their respective purposes
- • Industry data sharing arrangements
- • Referral arrangements where each party uses the data independently
When to Use a Data Processor Agreement
Use a data processor agreement whenever you engage a third party to process personal data on your behalf. This includes cloud services, payroll providers, email platforms, and analytics tools. It is a legal requirement, not optional.
When to Use a Data Controller Agreement
Use a data controller agreement when sharing personal data with another organisation that will use the data for its own independent purposes. This is common in partnerships, referral arrangements, and industry collaborations.
Which Does Your Business Need?
First, determine the roles. If the third party processes data only on your instructions and for your purposes, you need a processor agreement. If each party determines its own purposes, you need a controller-to-controller agreement. For joint decisions about purposes and means, you need a joint controller agreement under Article 26.
FAQ
What must a data processor agreement include under UK GDPR?
Article 28(3) requires clauses covering: processing only on documented instructions, confidentiality obligations, security measures, sub-processor controls, assistance with data subject rights, deletion or return of data on termination, audit rights, and notification of data breaches.
What is a joint controller arrangement?
Under Article 26, joint controllers are two or more controllers who jointly determine the purposes and means of processing. They must agree their respective responsibilities in a transparent arrangement and make the essence of this agreement available to data subjects.
Generate the right contract instantly
AccountsOS generates UK-compliant contracts tailored to your needs. From £10/month.
Get Started FreeThis is guidance for UK businesses, not legal advice. Consult a solicitor for complex matters.
View all comparisons