Whenever a controller uses a processor it needs to have a written contract in place. The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what needs to be included in the contract. These contracts must now include certain specific terms, as a minimum.
If you outsource to a third party (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place.
For example: payroll - then you need to have in place a contract.
We can help you with drafting an appropriate contract or clause you can use.
Looking for Privacy Notice Help?