In addition to the contract terms, a processor also has some direct responsibilities and liabilities under the GDPR. When drawing up and negotiating a contract for data processing, it is good practice for all parties to make sure they understand this.
The parties may also wish to explicitly cover this in the contract, although the GDPR doesn’t require it. For example they may wish to include a clause specifying that nothing in the contract relieves the processor or controller of its own direct responsibilities and liabilities under the GDPR – and to say what these are.
In any case the ICO recommends that both the controller and processor obtain their own professional advice.
