Whenever a controller uses a processor to process personal data on their behalf, a written contract needs to be in place between the parties.
Similarly, if a processor uses another organisation (ie a sub-processor) to help it process personal data for a controller, it needs to have a written contract in place with that sub-processor.
Contracts between controllers and processors ensure they both understand their obligations, responsibilities and liabilities.
Contracts also help them comply with the GDPR, and assist controllers in demonstrating to individuals and regulators their compliance as required by the accountability principle.