Because we are a Data Controller who uses a Data Processor (you guys) the GDPR states that we must have a Controller to Processor agreement in place with you.
The below is from the ICO website. It means that each of your customers as the Data Controller must ask you to sign a Data Processing agreement - that could mean that you have 1000’s of differently worded contracts to go through. I work for a payment gateway and we are a processor for many controllers to that end we’ve put together the Data Processing Agreement as a “self-serve” document that all our customers can sign and return to us. It’s their responsibility but we are making compliance easy for them. A sub-processor is different - if you are using Sub-processors to process our data we, as the Controllers, need to agree to that sub-processing so you would lay it all out in the agreement too.
So that was the type of contract that I was looking for. Do you think that’s something you might put together or have maybe already? See below extract from the ICO. - Many thanks.
Whenever a controller uses a processor it needs to have a written contract in place.
The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what needs to be included in the contract.
Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
The checklist of what the agreement must legally contain can be found here.