Examples of relationships between controllers and processors The use of data by data controllers in the voluntary and community sectors can take the following form: a controller is an organisation that makes decisions about the “why” and “how” of the processing. While they can carry out the actual processing themselves, they can also have an external third party (i.e.: Entrust to a processor) the execution of the processing and has no direct participation in the data itself, but remains the controller. In both cases, the controller remains responsible for proving compliance with data protection legislation (principle of responsibility). In the following example of the transmission of PAY information to HMRC, it would be unnecessary to have a written contract with the Revenue. The processor should be able to demonstrate to the controller an approach to information security, expertise, reliability, resources, compliance with the principles and the exercise of its rights in compliance with the requirements of the GDPR. This helps the controller to determine whether sufficient safeguards have been fulfilled. You need to think carefully about where this is the case, because it is not obvious, at the outset, that as a manager you have stored data with a subcontractor. For example, the storage of certain personal data in a cloud storage service would probably fit this definition, given that personal data is processed by an external third party (the processor) (stored on servers), even though that company may not have direct interaction with the data. The template was reviewed by Sussex Police in 2019 to improve the document. References to Sussex and Surrey have been removed from the main document below, but the forms and processes of example in the appendices are specific to Sussex and Surrey. . .