Data Protection Act 2018
80. (1) A controller shall engage a processor to carry out processing on its behalf only where—
(a) the processing is carried out, subject to subsection (3), in pursuance of a contract in writing between the controller and the processor that provides for the matters specified in subsection (2), and
(b) the processor provides sufficient guarantees to implement appropriate technical and organisational measures to ensure that—
(i) the processing shall comply with the provisions of this Part, and
(ii) the rights and freedoms of the data subjects are protected.
(2) A contract entered into between a controller and a processor in accordance with subsection (1)(a) shall—
(a) specify the subject matter, duration, nature and purpose of the processing to be carried out thereunder,
(b) specify the type of personal data to be processed thereunder and the categories of data subjects to whom the personal data relate,
(c) specify the obligations and rights of the controller in relation to the processing, and
(d) provide that the processor shall—
(i) act only on instructions from the controller in relation to the processing, except in so far as the law of the European Union or the law of the State requires the processor to act otherwise,
(ii) procure the services of another processor (in this section referred to as a “secondary processor”) in relation to the processing only where authorised to do so in advance and in writing by the controller, which authorisation may be specific or general in nature,
(iii) ensure that any person authorised to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so,
(iv) assist the controller in ensuring compliance with this Part in so far as it relates to the exercise by a data subject of his or her rights,
(v) erase or return to the controller, at the election of the controller, all personal data upon completion of the processing services carried out by the processor on behalf of the controller and erase any copy of the data, unless the processor is required by the law of the European Union or the law of the State to retain the data, and
(vi) make available to the controller all information necessary to demonstrate compliance by the processor with this section.
(3) Subsection (1)(a) shall not apply in relation to processing where the form of the processing and the role of the controller and the processor concerned are otherwise specified in the law of the European Union or the law of the State.
(4) Where a controller gives an authorisation, whether specific or general in nature, to a processor, including a secondary processor (in this section referred to as “the procuring processor”) to procure the services of a secondary processor, the procuring processor shall inform—
(a) the controller, and
(b) where relevant, any processor who procured the services of the procuring processor in relation to the processing concerned,
in advance of any such procurement or of a change in the terms of such procurement.
(5) Where a procuring processor procures the services of a secondary processor to carry out processing on behalf of a controller, subsections (1) and (2) shall apply to the procuring processor and the secondary processor, subject to the following modifications and any other necessary modifications:
(a) a reference to a “controller”, other than in subparagraphs (ii), (iv), (v) and (vi) of subsection (2)(d), shall be construed as a reference to the procuring processor;
(b) a reference to a “controller” in subsection (2)(d)(iv) shall be construed as a reference to the controller and the procuring processor;
(c) a reference to a “controller” in subsection (2)(d)(v) shall be construed as a reference to the controller or the procuring processor, as appropriate; and
(d) a reference to a “processor” shall be construed as a reference to a secondary processor.
(6) Where a person, who by virtue of the operation of this Part is a processor of personal data, when purporting to act as such a processor, determines the purpose and means of the processing of the data, the obligations that are placed on a controller under this Part shall apply thereafter to the person as though the person were a controller of the data.