Establishing whether a third party to whom a company transfers data under the GDPR is classified as a ‘controller’ or ‘processor’ sometimes straightforward. At other times, the position can be more complex with parties unsure or even having opposing views. This briefing note considers this relatively common issue, and how to minimise risk in situations of ambiguity.
To begin with, it is appropriate to consider the Controller and Processor definitions:
Controller – “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Article 4(7) General Data Protection Regulations 2018 (GDPR)
Processor – “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. Article 4 (8) GDPR
The key difference between a controller and processor is that a controller determines the purpose and means of processing the data and the processor acts on the controller’s behalf. If a data processor determines the purpose and means of the processing, the processor is considered a data controller with respect to that particular data processing.
Why is the distinction important?
It is important to establish whether a party is a processor or controller, because both have differing obligations both contractually and under the GDPR. For example, when there is a data breach, the data processor has a legal obligation to inform the controller of the breach. Regardless of whether there is a contract in existence stating that a party is a processor, that party may in law be a controller, and consequently have additional obligations under GDPR. It is important to assess the circumstances and the ways in which the data is being controlled and processed in order to establish whether (regardless of how it is labelled or detailed within contractual documents), the company is a processor or controller.
A typical example of a controller/processor relationship is where an employer outsources payroll to another company. The employer is the controller of the data, because they instruct the payroll company upon what to do with the data, and the purpose for doing so. The payroll company processes the data based upon these instructions.
Controllers are responsible for compliance with GDPR and must also be able to demonstrate compliance. Controller obligations include:
• Compliance with key principles of the GDPR which are fairness, transparency and lawfulness.
• Establishing and recording the legal basis for processing data.
• Providing information to data subjects regarding which data is being held, for what purpose and for how long it will be retained.
• Protecting personal data and prevent unlawful processing.
• Ensuring that the processor has the appropriate security measures in place to protect data.
• Controllers must ensure there is a binding contract between themselves and the processor, which imposes obligations on the processor.
Processors now have increased obligations regarding data processing under the GDPR, particularly in comparison to previous data protection legislation. Processor obligations under the GDPR include:
• Maintaining records of processing activities.
• Implementing appropriate security measures. Where a data breach occurs, it will be considered whether the processor has secured the data adequately.
• Informing the controller immediately of any data breach.
• Appointing a data protection officer (where applicable).
• Complying with international data transfer requirements.
Contractual Obligations for Processors
Alongside obligations under GDPR, processors should have contractual obligations imposed by the controller, which aid the controller in compliance. Data processors’ activities are required to be governed by a “contract or other legal act under Union or Member State law”. This contract should set out the subject matter, duration, nature and purpose of processing, alongside the type and category of data subject and obligations and rights of the data controller.
Under this contract, the processor should be contractually obligated to:
• Only process data in accordance with the instructions of the controller which should be recorded to demonstrate compliance.
• Ensuring that only authorised personnel have access to and can process personal data, and that there are sufficient confidentiality clauses and policies in place regarding this.
• Implementing security procedures and policies to ensure data is kept securely.
• Abiding by the rules regarding appointment of sub-processors.
• Assisting the data controller by introducing measures which comply with data subjects’ rights.
• Assisting the controller in compliance with GDPR taking into account the nature of the processing and the information available to the processor.
• Disposing or destroy personal data when required by termination of the contractual relationship, unless a longer retention period is required by law.
• Providing necessary information to the controller which will assist the controller in demonstrating compliance with GDPR, in relation to processors.
• Informing the data controller immediately of any belief the processor has that the controller’s instructions breach the GDPR or any other UK law.
How to determine who is a controller/processor
In order to determine who is, in law, a controller or processer, the independence each party exercises in relation to processing data must be considered. The more restricted a party is in how it can handle personal data, the more likely it is a data processor as opposed to a controller. In particular, organisations should consider:
• The amount of independence a party can exercise when processing data, assessed against the level of instruction provided to the party.
• Who is monitoring the processing and how closely they are doing so. The more closely a party is monitoring, the stronger the indication that party is a controller.
• Who the data subject perceives to have control over processing their personal data.
• The expertise of the parties. For example, a service provider may have professional expertise, which may indicate it is a data controller.
Penalties for Data Processors
Data processors risk facing penalties should they fail to comply with the requirements both contractually and under the GDPR. They could be subject to the following penalties:
• Civil and administrative penalties.
• Damages in private claims by supervisory authorities and data subjects.
• Breach of contract claims.
Sanctions for Data Controllers
• Fines of up to 4% of international turnover or 20 million Euros (whichever is higher).
• Reputational damage.
If a party is inaccurately determined as a processor, then, not withstanding that it may have entered into processing obligations, it will be bound under the GDPR as a controller. With regard to the contractual processing obligations, those that exclusively relate to the GDPR would not apply since these are only designed to apply to processors. The position is more complex where a controller has imposed ‘enhanced’ processor obligations that relate to and yet go beyond the GDPR processing obligations. In practice, if both parties agree to a revised controller to controller determination, then a sensible course of action would be enter into a variation agreement to reflect this. Depending on the relationship of the parties the controller to controller wording can range from being very straightforward to something more bespoke.