The minimum information needed for a processor to comply with its legal responsibilities, and for the controller to comply with Article 28, is to specify whether the data includes special categories of personal data. This raises the risk profile of the data set.

For personal data that does not fall into one of either:

  • child data under Article 8;
  • special Classes of Data under Article 9 (which adds biometric data and removes convictions data from the old DPA 1998); or
  • convictions data under Article 10

then the controller will need to refer to the categories and types of data it uses to make sense of its information asset inventory and make sure processors can maintain that view for data they hold on the controller’s behalf.

Types and categories of data

When looking at the meanings of 'type' of personal data, in the context of Article 28(3) and Recital 81, and 'category', it is helpful to differentiate in the following terms:



Format, i.e. paper files, online profiles, etc.

Personal v sensitive, i.e. address v health data

Which data or data categories are processed

‘HR leaders’ or ‘Team Leaders’ would be category of recipients

Type of data may be regular or special type

Category of affected persons is customers or employees, etc.


Category of data is master data, payroll data, health data, etc.


Rules for the processor’s contract with the controller

Article 28(3) is in the context of a processor's contract with the controller. The type of personal information has to be stated and can be: collected, observed, derived and special category. Article 28(3) (h) states the processor must ensure it: "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...", namely a report must be sourced.

The controller contract with a processor should not reveal any more about the structure of the data being provided than is needed for the processor to comply with its legal responsibilities. If the controller wishes to provide further information that the processor might require in order to carry out the technical tasks requested of it, then this should be provided in a separate document with a restricted circulation list.

Finally, it may be necessary to provide the controller with technical requirements and details to complement a Service Level Agreement. However, these do not need to be within a formal contract.

Contact our Data Protection and GDPR Lawyers Liverpool, Wirral, Merseyside and Across England & Wales

GDPR and data protection compliance requires an in-depth understanding of the rules and how to apply them in your business’s practices. That’s why it is vital that you seek specialist GDPR advice to ensure your business avoids fines for non-compliance. We provide a thorough service, providing practical advice and solutions from employment issues to third-party interactions. For a free initial consultation with our data protection and GDPR solicitors, contact us on 0151 659 1070 or complete our online enquiry form.


Make a free enquiry, call now

0151 659 1070

Please let us know your name.

Please enter a valid telephone number

Please let us know your email address.

Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.

What our clients say

How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070