When it comes to data processing involving more than one stakeholder, one of the first and most important question to answer is: are they acting as a data controller or a data processor?
Indeed, depending on the role of the stakeholders (i.e. controller or processor), their responsibilities will greatly differ.
The New European Data Protection Regulation (GDPR) applicable from May 2018 provides for three kind of relationship between stakeholders in a data processing:
Controller to Processor
Controller to Controller
Because of the rise of multi-services providers, it has become more and more difficult to work out the role of each party involved in personal data processing activities. Indeed, where a third party is allowed to use a set of personal data to provide a wide range of different services, it can be a data controller for one service and a data controller for another one. This situation may be confusing and professionals have different approaches as to how to handle this kind of situation.
The aim of this article is to explain the reason why it is important to work out the role of each party to a personal data processing and provide some examples to help understand the reasoning when it comes to complex services.
1.Why is it so important to work out whether one’s is acting as data controller or data processor?
Defining the role of each party to data processing activities is crucial as it enables to work out their liabilities in case of breach of the GDPR.
1.1. A company acting as a data controller bears most of the responsibilities under the GDPR and current data protection laws applicable in the European Union. A data controller is responsible vis-à-vis individuals (i.e. data subjects) whose data is processed and vis-à-vis the authorities who can audit and serve fines in case of breach of the regulation (see data controller’s obligations here)
2.2. Data processors have no legal responsibilities under the current European data protection laws, and therefore data controllers have a legal obligation to enter into a contract with their data processors in order to ensure each of them is at least contractually liable for any breach of the legislation.
However, under the GDPR (new European data protection laws) applicable from May 2018, data processors have new legal obligations and responsibilities particularly in terms of data security (see article here). They can be held liable vis à vis the authorities and be subject to sanction in case of breach. Nonetheless, the extent of the obligations is limited and a contract between controllers and processors will still be mandatory as most of the GDPR obligations will remain under data controllers’ responsibilities.
2. What do “data controller” and “data processor” mean?
In broad words, the data controller is the one in control of the data processing and making all the important decisions while the data processor is a contractor acting on instructions of the former.
According to the GDPR, a data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; (…)”
A data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”;
“The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.” (art 29)
However in practice it is not always that easy to make a distinction between both controller and processor especially because of the complexity of services provided.
3. How to work out whether a third party recipient is a data controller or a data processor?
Where a company acts alone without any third party being involved in its processing activities, it should be the only data controller (e.g. a company running its own online business and hosting its website). In this case, there is no data processor.
However, the question becomes more complex when a third party is involved in the company’s data processing activities.
As stated above, they are three kind of relationship between a data controller and a third party involved in its processing activities. Below examples for each kind of relationship in order for the reader to better understand how it works.
Example 1: Controller to Processor relationship
A company A runs its online business and its website as well. Customers’ personal data collected through the website is stored by a company B which is only allowed to host the data.
In this case A is a data controller, and B is acting as a data processor as it is only acting on A’s instructions and will not use the data for its own purposes (i.e. it is A’s subcontractor).
Example 2: Controller to Controller relationship
The same company A has decided to sell a copy of its customer database to the Company C for its direct marketing activities.
Once the transaction is agreed, the data will be transferred from A to C and A will not be involved or benefit from C’s data processing activities.
In this case, both parties act as a data controller for their own processing activities and remain independent from each other. It is a controller-to-controller relationship.
Example 3: Joint Controllers relationship
A and C decide to enter into a partnership and promote a product.
They set up a common website, with a common customer database, they are both involved in the provision of the services. C will be in charge of setting up the website, A of hosting the database and sending direct marketing on behalf of both A and C.
In this case, A and C are joint controllers. This means they have data processing activities in common and they should enter into a contract to agree which of them is in charge of each of the data protection obligation provided for in the GDPR (e.g. security, information of data subject, handling request etc.)
4.What if the same personal data are used for different purposes by the data recipient?
A more complex and nonetheless common situation is where a company A share personal data with B for different purposes for which B could act as data processor, joint controller or independent controller depending on the purpose of each processing.
It is important to distinguish this situation from the one where two parties A and B share different set of data subjects’ personal data for different purposes (e.g. A shares with B customers’ data for direct marketing purpose and employee’s data for payroll). In this case, the following does not apply as these data processing activities are totally independent from each other.
This section concerns the case where the same set of personal data is processed for different purposes by a third party. For example the case where A asks B to host its customers’ database and allows B to use it for its own direct marketing purpose. They also agree that B will perform profiling processing and share the outcome with A so that A and B can better target their customers when they send direct marketing to their customers.
First approach/step: working out the role of each party per purpose/service provided
In so far as the same personal data is used to fulfill the aforementioned purposes, the role of each party for each processing purpose would be as follows:
- Hosting: B is a data processor of A as it is performed on A instruction
- Direct marketing: each party is independent, A and B are “independent” controller for this purpose
- Profiling: it’s about common means and purposes and therefore both parties should be considered joint-controller.
It is particularly important to be aware of the role of each party per purpose of processing to draft a contract (see below).
Some data protection specialist will be happy with this approach and will not go any further. However, this approach might be unsatisfying because of the legal definition of data processor.
Second approach/step: taking in consideration each purpose as a whole
There is a contradiction in being both data controller and data processor of the same data.
As mentioned above, a data processor acts only on instruction of the data controller.
Therefore, taking our previous example, how can B act only on A’s instruction when hosting personal data if it can use it for its own profiling and direct marketing activities?
From a more pragmatic perspective, if B were to lose personal data because of an issue in its server storing A’s data, why A would be the only one notifying the supervisory authority and potentially notifying its customers? There is no reason why B should not do that too as it uses exactly the same data and lost it.
It is better to consider the third party as a controller …
Therefore, when it comes to work out the role of a third party providing several services concerning the same personal data, it is easier to take all the data processing purposes as a whole and work out which role best reflects the relationship between both parties.
In our example, as B is both a data processor and a data controller when processing A’s personal data and given they have the profiling activities in common, A and B should be considered as joint data controllers for the whole processing activities in order to avoid any contradiction in the contract.
… but without forgetting that it ensures data processor activities on the other controller’s behalf
However, stating that B is a joint controller does not mean that it cannot have any obligation similar to those of a data processor. It is only inconsistent to state in a contract that it acts only on A’s instruction. It will be necessary to adapt the contract accordingly taking in consideration that some services provided are closer to a processor’s activities than those of a controller.
Given the rise in complexity of the services provided by third parties, it is more and more difficult to work out the role of each party and unfortunately it is often a grey zone. With the GDPR coming, it will be more and more necessary to have a very deep understanding a data processing at stake, the kind of data shared and which categories of data is concerned by each purpose of processing before entering into a contract. It is time consuming and far from business context where negotiating a contract with a third party must be done in a given time. However difficult it is to work out each party role, the risk has become too high to neglect this point.
This post is also available in fr_FR.