In a world where an increasingly symbiotic relationship is developing between individuals and technology, data processing has become more and more important. The GDPR regulates all aspects of data processing activities, including the entities collecting and using the data. To this end, it distinguishes between data controllers and data processors, depending on the ownership of the processing operations. Each role carries with it a slightly different set of obligations, and it is crucial for data processing organisations to know which role they fulfil for each of the activities in which they are involved.
Data Controller v Data Processor
Article 4 of the GDPR outlines the definition of a data controller and a data processor. A controller is the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. A processor, in contrast, is the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
As a rule of thumb, then, whichever organisation has made the decision to collect and process the data, the reasons for which it is used, and how it should be processed, will be a controller, since the data controller is an entity which determines the purposes and means of the data processing. If, on the other hand, Microsoft is contracted by a law firm to store some data in the SharePoint Cloud service, Microsoft does not get to make any decisions about the processing – how long to keep the data, what to use it for. Microsoft will therefore not be the data controller. However, seeing as storage is a processing activity, and Microsoft will be offering storage services, they will be the data processor.
An organisation can’t be both the controller and the processor for one activity since the processor “processes the personal data only on documented instructions from the controller.” If an organisation is a data controller and process the data themselves, there is simply not a separate data processor for that operation. Coming back to the example of Microsoft, if they were storing their employee data within SharePoint, they wouldn’t need a contract that “sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. It helps to remember that the processor processes data on behalf of the controller. If the controller does the processing themselves, there is no need for anyone to do it on their behalf and therefore no need for a processor.
There can, however, be two data controllers for the same processing operation if they jointly determine the purposes and means of the processing. In that case, they would be joint controllers and free to determine their respective compliance responsibilities under the GDPR. Still, any data subject could exercise all their rights in respect of and against each of the controller, irrespective of the controllers’ arrangement.
The data controller is the main party responsible for ensuring compliance with the principles of the GDPR, as they are the one with the power to determine the why and the how of the processing, which are the main aspects of processing that the GDPR regulates. That means that even if the controller fully outsources the processing to the data processor, they remain responsible for the operation: they must ensure that the processor is legally bound to meet the requirements under the GDPR or face the penalties for infringement.
What does this mean for Data Controllers?
As mentioned, the data controller is responsible and liable for any processing carried out by them or on their behalf. This extends to ensuring that all the principles of the GDPR are followed for each processing activity, e.g. that data protection impact assessments are performed for high risk processing and that individuals have sufficient information about the processing to enable them to exercise their rights. Under Recital 74, data controllers are specifically responsible for the implementation of appropriate and effective measures and are obliged to demonstrate their compliance with the GDPR.
The controller “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” The sufficient guarantees relate to the expert knowledge, reliability, and resources that the processor has access to. The controller will also need to rely on a contract or another legal act under EU or Member State law to be able to delegate the processing to the processor. The agreement must stipulate several elements with regards to the processing, such as that the processor:
Processes the personal data only on documented instructions from the controller
Ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
At the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services
Makes available to the controller all information necessary to demonstrate compliance with the obligations, and more
Even having delegated the processing to a processor, the data controller remains the contact point for the individuals whose data is used and who wish to exercise their rights. For example, if an individual wishes to revoke their consent to a processing activity, or to exercise the right of access, they may express their choice to the controller. The controller will be responsible for passing on the information onto or retrieving the data from the processor and communicating the results to the individual. Similarly, if a processor receives a request from a data subject, they are required to inform the controller immediately and without undue delay to facilitate compliance with the request.
In a joint controllership, the controllers are required to determine their respective compliance obligations in a transparent manner, in particular with respect to informational obligations towards the data subjects and the facilitation of data subject rights. The essence of that agreement is to be made available to the data subject. Still, regardless of the terms of the controllers’ agreement, the data subjects can exercise their rights in respect of and against each of the controllers.
Since controllers retain the lion’s share of responsibility for any operation, it is crucial for them to be able to demonstrate compliance and accountability through documentation. Beyond the ordinary Records of Processing Activities (ROPAs), required to be completed by enterprises of 250+ employees for all processing operations, the controllers are responsible for conducting and documenting Data Protection Impact Assessments (DPIAs) for activities likely to result in high risk for the data subjects and Legitimate Interest Assessments (LIAs) where they rely on legitimate interests as their lawful basis for processing. While processors may and often do have certain assistance obligations in these compliance efforts, ultimately the responsibility lies with the controllers.
What does this mean for Data Processors?
As explained in the preceding section, data processors process personal data on strict instructions from the controllers. They are entrusted with making their own operational decisions within that limited scope, however if they infringe the GDPR by determining the purposes and means of processing themselves, they will be considered a controller with regards to that operation, with all the responsibilities that entails.
We have touched earlier on the necessary elements to an agreement between a controller and processor. Since there can be no processing without those elements, any processor must be able to offer reasonable assurances that they can meet the conditions set out in the GDPR. They must be able to implement appropriate measures, as necessary to ensure the security of processing. These can include technological and organisational solutions, such as pseudonymisation and encryption, and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. The processor must also be able to assist in facilitating data subject rights requests, performing DPIAs, and handling breach notifications. They must also contractually oblige themselves to not engage other processors without prior authorisation.
The processor does, therefore, assume a fair amount of responsibility for the personal data they process; however, their services must be agreed upon in detail in a contract with the controller before the processor begins their operations.
Why is this Important?
The accurate identification of the relevant data controllers and processors, and communication of these in (a) Privacy Notice(s) upholds the principles of transparency and accountability found in paragraphs 1a and 2 of article 5 and enables Data Subjects to trust the organisations that use their personal data. GDPR infringements do also carry significant penalties, so it is important for all actors in data processing operations to understand their roles and the obligations those entail.