Are we controller, or are we processor?
(…and I’m on my knees looking for the answer, are we Controller, or are we Processor?)
Ever since the final text of GDPR was published back in 2016, deciding whether you’re acting as a controller or a processor has been a contentious area for some businesses.
On paper the definitions may seem straight-forward, but as ever the devil’s in the detail and interpretation.
I was interested to see a recent ICO enforcement notice which concluded a marketing company was acting as controller, despite classifying itself as a processor.
This case was pretty clear-cut; the company clearly used personal data it received from other companies for its own purposes and financial gain.
But the distinction can be more nuanced.
Many a debate (and disagreement) has been had between DPOs, lawyers and other privacy professionals when trying to classify the relationship between different parties.
It’s not unusual for it to be automatically assumed all suppliers providing a service are processors, but this isn’t necessarily the case. Sometimes joint controllership, or distinct controllers, is more appropriate.
Organisations more often than not act as both, acting as controller and processor for specific processing tasks. Few companies will solely be a processor, most will be a controller for at least their own employee data, and often for their own marketing activities too.
So what does the law say a controller and processor are, and how should we interpret this?
The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
There are some key questions which will help organisations to reach a conclusion, such as;
- Are we responsible for deciding the purposes for which personal data are processed?
- Are we responsible for deciding how and what data is collected?
- Do we decide the lawful basis for the processing tasks we carry out?
- Do we make sure people are informed about the processing of their data?
- Do we handle individual privacy rights, such as data subject access requests?
- Is it us who’ll notify the Regulator / affected individuals in the event of a significant data breach?
And so on…
If you’re answering ‘yes’, you’re a controller. And the ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.
Why it’s important to get this right
Controllers have a higher level of accountability to comply with all data protection principles, and are also responsible for the compliance of their processors.
If you are a processor, you must only handle data on behalf of another organisation and under their instructions.
This means if you’re doing anything else with this data, for your own purposes, you can’t be a processor for those purposes. You must be the controller – at least for those purposes which were not instructed to you by another party.
Let’s be clear though, this doesn’t mean a processor can’t make some technical decisions about how personal data is processed.
Data protection law does not prevent processors providing added value services for their clients. But as a processor you must always process data in accordance with the controller’s instructions.
Processors also have a number of direct obligations under UK GDPR – such as the technical and organisation measures it uses to protect personal data. A processor is responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller.
If the relationship is controller to processor, you must make sure you have a suitable agreement in place which covers key data protection requirements.
Often overlooked is the need to have clear documented instructions from the controller. These instructions are often provided as an Annex to the main contract, so they can be updated if the processing changes.
What’s clear from the recent ICO ruling is even if your contract says you are a processor, if you are in fact in control of the processing, this will be overturned.
In this case, the marketing company has been given three months to mend their ways. Actions required include notifying individuals that the company is processing their data, ceasing to process personal data where this is not possible and making sure robust evidence of consent is retained.
The ICO doesn’t let us mark our own homework; it’s interested in what we do as opposed to what we say we do!
In July 2021 the European Data Protection Board published adopted guidelines on the concepts of controller and processor.