- “Controller” is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; and
- “Processor” is the natural or legal person, public authority, agency or other body, which processes personal data on behalf of the data controller.
However, the GDPR introduces a new obligation on data processors/controllers. Article 28.3 of the GDPR states “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
We are receiving many enquiries from clients regarding what their relationship is to third parties they currently engage with. It is worth bearing in mind that not every contractual relationship is that of data processor/controller. There can be instances where:
- Both parties are data processors
- Both parties are data controllers
- The parties are joint data controllers
Joint controllers are two or more controllers that jointly determine the purposes and means of processing (as opposed to two or more data controllers separately determining the purposes and means of processing).
The key to determining if you are a data controller or a data processor in a contractual relationship is the degree of independence which each party has in determining how and in what manner the data is processed as well as the degree of control over the content of personal data.
Where you engage a lawyer to provide legal advice, you will not have sole data controller responsibility even though you initiated the work by asking for advice. Responsibility also lies with the law firm because it determines what information to obtain and process in order to do the work. The law firm is also a data controller.
If you are an online retailer using a third party payment provider, the payment company decides what information is required from customers to process payments and determines how long customer credit card details are retained. So the payment provider is a data controller too.
If you are a cloud provider storing data, and you are contracted to delete certain data after a period and to allow customers access to their data, then you are a data processor. The conditions of the contract mean there is no scope for you to process the data for your own purposes.
To determine whether you are a data controller, you need to ascertain which party/parties decide:
- to collect the personal data in the first place and the legal basis for doing so
- the content of the data
- the purpose or purposes the personal data is to be used for
- which individuals to collect personal data about
- whether to disclose the personal data, and if so, who to
- how long to retain the personal data or whether to make non-routine amendments to the data
A data processor may decide:
- what IT systems or other methods to use to collect personal data
- how to store the personal data
- the detail of the security surrounding the personal data
- the means used to delete or dispose of the data