Where more than one party is involved in personal data processing operations, the first question to answer is: are they acting as a controller or a processor?
Indeed, depending on the role of the parties (i.e. controller or processor), their obligations and responsibilities in respect of the processing of personal data will greatly differ.
The European General Data Protection Regulation (GDPR) provides for three kinds of relationship between parties involved in data processing operations:
Controller to Processor
Because of the rise of multi-services providers, it has become more and more difficult to determine the role of each party involved in processing operations.
Indeed, where a third party is allowed to use a set of personal data to provide a wide range of different services, it may be considered as a controller for one service and a processor for another one. This situation may be confusing and professionals have different approaches as to how to handle this kind of situation.
The purpose of this article is to explain the reason why it is important to determine the role of each party to personal data processing operations and provide some examples and possible ways to handle complex situations.
1. Why is it so important to determine whether one’s is acting as a controller or a processor?
Determining the role of each party to data processing operations is crucial as their responsibilities are different depending on their role.
1.1. Controllers are legally responsible for the compliance of their processing operations with the GDPR and are liable to the individuals and to the authorities who can audit and sanction them if they breach the regulation (see controller’s obligations here).
1.2. Processors’ legal obligations and responsibilities are limited (e.g. security: see article here) and for this reason, controllers and processors have a legal obligation to enter into a contract to ensure the processor does not put their controller at risk of a GDPR breach. However, where a processor breaches one of its few legal obligations (as opposed to the contractual ones), it remains liable to the authorities and the data subjects.
2. What do “controller” and “processor” mean?
The controller determines the purposes and the means of processing and may act alone or jointly with others.
In other words, it makes all the important decisions regarding the processing operations.
The processor is a third party acting only on the controller’s behalf and following its instructions unless otherwise required to do so under Union or Member States law.
Given the rise in complexity of certain services, it is not always easy to make a distinction between controller and processor in practice.
3. How to determine whether a data recipient is a controller or a processor?
Where a company acts alone, it is a controller (e.g. a company running its online business and hosting its website) and, there is no processor.
However, when the controller shares its personal data with a third party, the latter may be acting as an independent controller, a joint-controller or a processor.
Given the infinite number of possible situations, providing an exhaustive analysis has proved impossible. Therefore, the examples provided below aims to provide a high-level view of the possible ways to deal with various kind of data-processing situations.
Example 1: Controller to Processor
Company A runs its online business and decides to outsource the storage of its customers’ data to Company B.
To the extent B is only allowed to store the data, A is a controller and B a processor as it is only acting on A’s instructions and will not use the data for its purposes (i.e. it is A’s subcontractor).
The parties must enter into a data processing agreement in compliance with article 28 GDPR setting out the provisions that a controller to processor agreement must contain.
Example 2: Independent Controllers
The same company A has agreed to sell a copy of its customer database to Company C for C’s direct marketing activities.
Once the copy of the data provided to C, A will not hold any role in or benefit from C’s direct marketing campaign.
In this case, both parties act as a separate controller of their processing activities and remain independent from each other.
A contract is not legally required but very much recommended as C would need A to obtain individuals’ consent to marketing on its behalf.
Example 3: Joint Controllers relationship
A and C have decided to promote and sell a product online in partnership.
C will be in charge of managing the website and the customers’ purchase orders while A will carry out the direct marketing campaign on both parties’ behalf.
Both parties will benefit from the purposes of the processing operations (i.e. direct marketing, customer relationship management etc.) and they have determined together the way they will carry out such operations.
Therefore, A and C will be acting as joint-controllers regarding these processing operations.
Being joint-controllers involves, in particular, allocating each parties’ GDPR obligations in a written agreement (e.g. security, informing data subjects, handling individuals’ requests etc.) that should be made available on request.
Although this contract does not bind third parties, it will help determine each parties’ responsibilities in case of GDPR breach.
4. What to do if the data recipient acts both as a controller and a processor of the same set of personal data?
It often happens that a third-party recipient processes the same set of personal data for different reasons. However, it becomes tricky when this third-party is acting as a controller, a joint-controller or a processor depending on the processing operation it is carrying out.
Unfortunately, there is no perfect and universal answer to these situations given their complexity and the lack of clarity of the GDPR and the Authorities’ position in this respect.
Therefore, the parties should carry out a detailed analysis and adapt their contract on a case-by-case basis depending on the processing operations at stake and each parties’ GDPR obligations and responsibilities resulting from thereof.
The example provided below aims to show one of the possible approaches the parties may follow to mitigate the risk and avoid the inconsistencies arising out of this kind of situation.
For example, A asks B to host its customers’ database and allows the latter to use it for its direct marketing activities. A and B also agree that B will carry out analytics researches and provide the outcome to A so that they can both better target their customers as part of their direct marketing activities.
What is the role of A and B?
The role of each party for each of the processing operations/purposes should be as follows:
- Hosting: B is a processor and A a controller, as B performs the services on A’s behalf.
- Direct marketing: each party carries out this activity independently, A and B are “independent” controller for this purpose
- Analytics: B performs the service and both parties benefit from it. They are joint-controllers.
In this situation, some data protection specialists will use a different set of clauses in their data protection agreement to cover each purpose of processing (i.e. controller to controller, joint controller, controller to processor clauses).
However, this approach is not ideal as it leads to contradictions in B’s contractual obligations (e.g. when B is acting as a controller, it necessarily breaches some of its processor’s obligations).
In this respect, we suggest considering B’s processing activities as a whole and drafting a data processing agreement with the aim of ensuring an overall GDPR compliance at all time.
How to overcome the potential contradictions in the third party’s obligations?
If we take each processing operations separately, B must act only on A’s instructions when hosting A’s personal data. However, it will breach these instructions (i.e. only storing the data) when using this same data set for its analytics researches and its direct marketing campaigns.
In the same way, B could be in breach of either its controller or processor’s obligations if it notifies a personal data breach occurring in its servers to the Authorities (instead of letting A do it) or if it keeps the data for its marketing campaigns following A termination of the hosting service.
To avoid contradictions in B’s various obligations, B should, in this case, be regarded as a controller as its controller activities (i.e. analytics and marketing campaign) seem to prevail on its processor activities (i.e. hosting service).
In this regard, the parties should allocate in details their respective GDPR obligations and liabilities in their data processing agreement (e.g. security, information notice, retention period, authorised use of personal data, data breach notification etc.).
Indeed, considering B as a controller does not mean that the agreement may not contain processor-like obligations and that B is allowed to do whatever it wants with the data. As A remains partially responsible for the GDPR compliance of the processing operations and B is partially a processor, A should, among others, restrict B’s use of personal data to what is strictly necessary, be notified of any data breach, keep a right of reversibility of the data transmitted and a right to audit B in their agreement.
Comments: In the case where B’s main service would be hosting the data on A’s behalf, opting for a controller to processor agreement may be a better option regardless of the contradictions arising out thereof.