Controller vs Processor — The Critical Distinction
This guide covers the UK GDPR Data Processing Agreement requirements as of June 2025. This is general information — consult a data protection solicitor for your specific circumstances. The ICO publishes guidance on Article 28 contracts at ico.org.uk.
| Role | Definition | Example | UK GDPR Obligations |
|---|---|---|---|
| Data Controller | Determines the purposes and means of processing | UK law firm (decides why client data is processed) | All UK GDPR obligations apply directly |
| Data Processor | Processes personal data on behalf of a controller | ClickMasters (processes client data to deliver software) | Specific Article 28 obligations, plus Article 32 security |
| Joint Controller | Two+ parties jointly determine purposes/means | Two hospitals running a shared patient record system | Both parties responsible — Article 26 required |
What Must a UK GDPR Article 28 DPA Include?
Article 28(3) sets out mandatory terms. A DPA that omits any of these is non-compliant:
Mandatory Term
Article 28(3) Reference
What to Include
Process only on documented instructions
Art 28(3)(a)
Scope of processing, specific purposes, lawful basis reference
Confidentiality obligation
Art 28(3)(b)
Processor staff bound by confidentiality (employment contract or separate NDA)
Security measures
Art 28(3)(c) + Art 32
Technical and organisational measures — reference Annex (see below)
Sub-processor restrictions
Art 28(3)(d)
Prior written authorisation required; same obligations on sub-processors
Data subject rights assistance
Art 28(3)(e)
Processor assists controller in responding to DSARs, erasure requests
Assist with compliance obligations
Art 28(3)(f)
Security, breach notification (within 24/48 hours to controller), DPIAs, consultations with ICO
Delete or return data at end
Art 28(3)(g)
Delete or return all personal data at contract end — controller's choice
Provide audit evidence
Art 28(3)(h)
Allow audits/inspections by controller or appointed auditor
Article 32 Security Annex — What to Include
Encryption at rest: AES-256 for all personal data at rest (database, backups, S3).
Encryption in transit: TLS 1.2 minimum, TLS 1.3 preferred, for all personal data in transit.
Access controls: RBAC with least privilege, MFA for admin accounts, unique accounts per user.
Vulnerability management: Dependabot automated CVE scanning, OS patches within 14 days (Cyber Essentials).
Penetration testing: annual CREST penetration test for systems processing special category data.
Incident response: breach notification to controller within 24 hours of discovery.
Cyber Essentials: certified annually — certificate available on request.
The security measures in the DPA Annex should reflect the Article 32 risk-based approach. For ClickMasters engagements:
Sub-Processor Management
| Sub-Processor | Purpose | Location | Data Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, databases, storage | eu-west-2 (London) — UK data residency | AWS Data Processing Addendum (DPA) |
| GitHub (Microsoft) | Source code repository, CI/CD (code only — no live personal data) | US — IDTA applies | Microsoft Online Services DPA |
| Datadog (optional) | Application performance monitoring, logs | EU region configurable | Datadog DPA + SCCs/IDTA |
| Stripe (payment projects only) | Payment processing | UK/EU | Stripe Data Processing Agreement |
IDTA — International Data Transfer Addendum
Post-Brexit: transfers of UK personal data from the UK to non-adequate countries (including the US) require either the ICO's IDTA (International Data Transfer Addendum) or the UK GDPR Addendum to EU SCCs. The IDTA is the ICO's mechanism for authorising UK→US data transfers. AWS, GitHub, and Stripe all offer UK GDPR-compliant IDTAs. ClickMasters ensures all sub-processor IDTAs are in place for UK personal data transfers.