Controller or processor? What are we?
Are you a service provider acting as a processor? Or a controller engaging a service provider? Is the relationship clear?
There are a few regulatory cases which remind us why it’s important to establish whether we’re acting as a controller or a processor, and to clearly define the relationship in contractual terms.
On paper the definitions may seem straight-forward, but deciding whether you’re acting as a controller, joint-controller or processor can be a contentious area.
Two regulator rulings to note
- The ICO has taken action against a company providing email data, cleansing and marketing services. In the enforcement notice, it’s made clear the marketing company had classified itself as a processor. The ICO disagreed.
- The Spanish data protection authority (AEPD) has ruled a global courier service was acting as a controller for the deliveries it was making. Why? Largely due to insufficient contractual arrangements setting out the relationship and the nature of the processing.
Many a debate has been had between DPOs, lawyers and other privacy professionals when trying to classify the relationship between different parties.
It’s not unusual for it to be automatically assumed all suppliers providing a service are acting as processors, but this isn’t always the case. Sometimes joint controllership, or separate distinct controllers, is more appropriate.
Organisations more often than not act as both, acting as controller and processor for specific processing tasks. Few companies will solely be a processor, for example, most will be a controller for at least their own employment data, and often for their own marketing activities too.
What the law says about controllers and processors
The GDPR tells us a controller means ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’.
A processor means ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
How to decide which we are
There are some key questions to ask which will help organisations reach a conclusion.
- Do we decide how and what personal data is collected?
- Are we responsible for deciding the purposes for which the personal data is processed?
- Do we use personal data received from a third party for our own business purposes?
- Do we decide the lawful basis for the processing tasks we are carrying out?
- Are we responsible for making sure people are informed about the processing? (Is it our privacy notice people should see?)
- Are we responsible for handling individual privacy rights, such as data subject access requests?
- Is it us who’ll notify the regulator and/or affected individuals in the event of a significant data breach?
If you’re answering ‘yes’, to some or all of these questions, it’s highly likely you’re a controller.
And the ICO makes it clear it doesn’t matter if a contract describes you as a processor; “organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services”.
Controller or processor? why it’s important to confirm your status
Controllers have a higher level of accountability to comply with all data protection principles, and are also responsible for the compliance of their processors.
If you are a processor, you must only handle the controller’s data under their instructions.
This means if you’re doing anything else with this data, for your own purposes, you can’t be a processor for those purposes. You will be acting as a controller when the processing is for your own purposes.
Let’s be clear though, this doesn’t mean a processor can’t make some technical decisions about how personal data is processed.
Data protection law does not prevent processors providing added value services for their clients. But as a processor you must always process data in accordance with the controller’s instructions.
Processors also have a number of direct obligations under UK GDPR – such as the technical and organisation measures it uses to protect personal data. A processor is responsible for ensuring the compliance of any sub-processors it may use to fulfil their services to a controller.
Controller-Processor data processing agreements
If the relationship is controller to processor, you must make sure you have a suitable agreement in place. The specific requirements for what must be included in contractual terms between a controller and processor are set out in Article 28 of EU / UK GDPR.
Often overlooked is the need to have clear documented instructions from the controller. These instructions are often provided as an annex to the main contract (or master services agreement), so they can be updated if the processing changes.
There will be times where you’re looking to engage the services of a household name, a well-known and well-used processor. There may be limited or no flexibility to negotiate contractual terms. In such cases, it pays to check the terms and, if necessary, take a risk-based view on whether you wish to proceed.
What’s clear from the Spanish courier case is how important it is to have contracts in place defining the relationship. The ICO ruling demonstrates even if your contract says you’re a processor, if you are in fact in control of the processing, this will be overturned, and you’d be expected to meet your obligations as a controller.