Note on GDPR compliance 

We have set out below a high level overview of your obligations under the European Union General Data Protection Regulation (EU GDPR) and the equivalent laws of the United Kingdom (UK GDPR, and together with the EU GDPR, GDPR), assuming that you are acting:

In our note below, Articles refer to Articles of the GDPR.

We have also assumed that you do not process any data:

In addition to our high level summary below, there are good checklists of your obligations as a controller and as a processor here (while this is a UK checklist, there are only minor differences between the EU GDPR and UK GDPR).

Comply with data protection principles

Where are you are the controller of personal data, you need to comply with the data protection principles of the GDPR set out in Articles 5-11.  In your case, these are:

Technical and organisational measures

As a controller under Article 25, and as a processor under Article 32, you must implement appropriate technical and organisational measures to give effect to the data protection principles of the GDPR.  You will need to determine what these technical and organisational measures are given all of the relevant circumstances.  

Some (non-exhaustive) examples given in Article 32 include: 

There is also a good checklist of considerations here.  

Acting as processor 

Where you are acting as processer (i.e. in relation to User Data), Article 28(3) requires that there be a contract in place between the controller and processor that meets certain requirements.  The data processing addendum that we have provided meets these requirements.  

Engaging processors and subprocessors

The GDPR requires that you have certain contractual arrangements in place with each of your service providers that store and/or process data on your behalf.  A suggested process for complying with these requirements is set out below.

Commonly, service providers that process data that you control (e.g. data you hold for account management, billing and marketing purposes) are referred to as processors, and service providers that process User Data are referred to as subprocessors.  For ease of reference, when we refer to processors below, we mean both your processors and subprocessors.  As explained below, the steps you have to follow are the same for both.

When we refer to process below, we mean both storage and processing.

As a practical observation on Step 4a:  The standard terms with most large data processing providers will adopt the appropriate SCCs or otherwise meet the requirements of Article 46.

In Steps 4a – c above, we have referenced the Articles that are relevant to controllers.  However, in practice, you need to follow these same steps for User Data (where you are the processor and not a controller).   For User Data, under Article 28(4), for any of your subprocessors, you need to ensure that the same data protection obligations imposed on you apply to that subprocessor.  In practice, this requires you to go through the same analysis in Steps 1-4 above regardless of whether you are the controller or processor of that data.

For more information on this process, see pages 2-3 of the EDPB publication referred to in Step 4c above. 

As a practical observation on Step 5:  The standard terms with most large data processing providers will likely meet the requirements of Article 28.

Note on Step 5:  If your EEA or UK processor is then exporting personal data back to a location that is not in the EEA/UK or a country that is adequate, you may also need to enter into additional SCCs with that EEA or UK processor that cover the re-export of the data, in order to meet the requirements for Article 46.  However, this is likely a fringe case so we have not elaborated on that.  We can discuss further if needed.


Under Article 27(2)(a), in respect of the personal data you control, you must appoint a representative in the EU and the UK, unless you meet all 3 of the following criteria: 

We would be happy to discuss this point further if you have any queries about whether you meet the criteria above.

We can also provide a referral to a service provider that provides EU and UK representative services, if you do not have anyone that you could use for this.

Record of data processing

Article 30 requires that, where you are acting as a controller or as processor (i.e. in relation to Uuser Ddata), you must maintain a record of data processing.  There are template records of data processing for controller and processors here.

Conduct an impact assessment

Article 35(3) requires data controllers to conduct a data protection impact assessment (DPIA) if the any of the following types of data processing is being conducted:  

From the information provided to us, you do not do these types of processing and therefore we do not think there is a requirement for you to conduct a DPIA.  

If you do want to conduct a DPIA, there is a good guideline and template for this here