Establishing whether a third party to whom a company transfers data under the Data Protection Act 2018 (“the DPA 2018”) is classified as a ‘controller’ or ‘processor’ is sometimes straightforward. At other times, the position can be more complex with parties unsure or even having opposing views. This briefing note considers this relatively common issue, and how to minimise risk in situations of ambiguity.
To begin with, it is appropriate to consider the Controller and Processor definitions:
Controller – “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4(7) General Data Protection Regulations 2018 (GDPR).
Processor – “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” (Article 4 (8) GDPR).
The key difference between the two is that a controller determines the purpose and means of processing the data and the processor acts on the controller’s behalf. If a data processor determines the purpose and means of the processing, the processor is considered a data controller with respect to that particular data processing.
Why is the distinction important?
It is important to establish whether a party is a controller or processor, because they have differing obligations both contractually and under the DPA 2018. For example, when there is a data breach, the data processor has a legal obligation to inform the controller of the breach. Regardless of whether there is a contract in existence stating that a party is a processor, that party may in law be a controller and consequently have additional obligations under the DPA 2018. It is important to assess the circumstances and the ways in which the data is being controlled and processed in order to establish whether the company is a controller or processor, regardless of how it is labelled or detailed within the contract.
A typical example of a controller/processor relationship is where an employer outsources payroll to another company. The employer is the controller of the data, because they instruct the payroll company upon what to do with the data, and the purpose for doing so. The payroll company processes the data based upon these instructions.
Controllers are responsible for compliance with the DPA 2018 and must also be able to demonstrate that compliance. Controller obligations include:
- Showing compliance with key principles of the DPA 2018 (fairness, transparency and lawfulness).
- Establishing and recording the legal basis for processing data.
- Providing information to data subjects regarding the data they hold, for what purpose and for how long it will be retained.
- Protecting personal data and preventing unlawful processing.
- Ensuring that the processor has the appropriate security measures in place to protect data.
- Ensuring there is a binding contract between themselves and the processor, which imposes obligations on the processor.
Processors now have increased obligations regarding data processing under the DPA 2018, particularly in comparison to previous data protection legislation. Processor obligations include:
- Maintaining records of processing activities.
- Implementing appropriate security measures. Where a data breach occurs, the processor will need to show they had secured the data adequately.
- Informing the controller immediately of any data breaches.
- Appointing a data protection officer (where applicable).
- Complying with international data transfer requirements.
Contractual Obligations for Processors
Alongside obligations under the DPA 2018, processors should have contractual obligations imposed by the controller which aid the controller in compliance. Data processors’ activities are required to be governed by a “contract or other legal act under Union or Member State law”. This contract should set out the subject matter, duration, nature and purpose of processing, alongside the type and category of data subject and obligations and rights of the data controller.
Under the contract, the processor should be contractually obligated to:
- Only process data in accordance with the instructions of the controller. This should be recorded to demonstrate compliance.
- Ensure that only authorised personnel have access to and can process personal data, and that there are sufficient confidentiality clauses and policies in place regarding this.
- Implement security procedures and policies to ensure data is kept securely.
- Abide by the rules regarding appointment of sub-processors.
- Assist the data controller by introducing measures which comply with data subjects’ rights.
- Assist the controller in compliance with the DPA 2018, taking into account the nature of the processing and the information available to the processor.
- Dispose of or destroy personal data when required by termination of the contractual relationship, unless a longer retention period is required by law.
- Provide necessary information to the controller to assist them in demonstrating compliance with the DPA 2018.
- Inform the data controller immediately if they believe the controller’s instructions breach the DPA 2018 or any other UK law.
How to determine who is a controller/processor
In order to determine who is a controller or processer, by law, the independence each party exercises in relation to processing data must be considered. The more restricted a party is in how it can handle personal data, the more likely it will be the data processor as opposed to the data controller. In particular, organisations should consider:
- The amount of independence a party can exercise when processing data, assessed against the level of instruction provided to the party.
- Who is monitoring the processing and how closely they are doing this. The more closely a party is monitoring, the stronger the indication that party is a controller.
- Who the data subject perceives to have control over processing their personal data.
- The expertise of the parties. For example, a service provider may have professional expertise, which may indicate it is a data controller.
Penalties for non-compliance
Data controllers and processors risk facing significant penalties should they fail to comply with their obligations, both contractually and under the DPA 2018. They could be subject to the following:
- Civil and administrative penalties.
- Damages in private claims by supervisory authorities and data subjects.
- Breach of contract claims.
- Fines of up to 4% of international turnover or 20 million Euros (whichever is higher).
- Reputational damage.
If a party is inaccurately determined as a processor, notwithstanding that it may have entered into processing obligations, it will still be bound under the DPA 2018 as a controller. Regarding the contractual processing obligations, those that exclusively relate to the DPA 2018 would not apply since these are only designed to apply to processors. The position is more complex where a controller has imposed ‘enhanced’ processor obligations that relate to (and go beyond) the DPA 2018 processing obligations. In practice, if both parties agree to a revised ‘controller to controller’ determination, then a sensible course of action would be entering into a variation agreement to reflect this. Depending on the relationship of the parties, the controller to controller wording can range from being very straightforward to something more bespoke.
The ICO has published guidance on how to understand the roles of the controller and processor and the obligations required by each of them.