A month has already passed since the day the new regulation on data privacy came into force.
After a pre-GDPR panic and what-should-I-do-now?! nightmares, the situation should be eased and clear to all by now.
Or maybe not…
A report published by Deloitte shows interesting statistics revealing the GDPR readiness status across Europe. Not too far back in 2018, there were still a lot of companies unsure about how the GDPR would have impacted their business activities, what within them, and only 15% of them were ready to be compliant before May 25th.
One thing, rather shocking, is also the fact that most of the companies, just a couple of months before the GDPR came into force, were not even aware of its existence!
Considering these circumstances, I wouldn’t doubt for a second that there is quite a lot of uncertainty out there. Especially, I would say, when it comes to understand specific roles and responsibilities.
The GDPR highlights the differences between the Data Controller and Data Processor; outlining the distinct obligations and roles that the two parties have. Nevertheless, the interpretation of the regulation and lack of guidance has been raised as major issues, specifically for Article 29 Working Party of the regulation. On top of this, when it comes to business relations the situation is quite complex; in most of the data-related activities, it is not always easy to determine whether a company is a Controller or Processor.
Think about this:
A university wants to collect information about its student with the purpose of elaborating estimates about the university population: percentage of international students, average age, and performance.
It hires a survey service provider for data processing the data to deliver results to the university.
At the same time, the survey service provider makes use of these data to target a specific segment of students for its marketing purposes.
So, who’s the Data Processor and who is the Data Controller here?
We know that many companies don’t know yet what they are responsible for and are struggling to keep performing their activities as they fear not complying with the new regulation, and for these reasons, we would advise you to read this article which aims to clarify some key points.
Why is it important?
Before trying to understand the differences, the first step to take is to clarify why making a distinction between the Data Controller and the Data Processor is important.
Data processing activities are particularly sensitive, as they involve personal data and concern real people. For this reason, it is quite crucial to avoid any gap in organisations’ responsibilities. That is, avoid that data subjects’ requests get disregarded because roles and responsibilities are not defined between data controllers and data processors.
Furthermore, in the instance of a data breach, it is essential that the parties involved have a clear agreement on where responsibilities lay. as this will allow to simplify the process of determining who is liable for what. This division of responsibilities should be agreed on at the very early stage of the relationship between data controller and data processors, to guarantee a smooth progression of business activities.
Definitions, Roles, & Responsibilities
Article 4 (par. 7 to 8) of the regulation provides the definitions of Controller and Processor, clearly highlighting the substantial difference between the two:
- ‘Controller‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- ‘Processor‘ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The Data Controller is the one who chooses what the data is used for and how to process it. Whereas, the Data Processor is the one that follows the instruction of the Data Controller and elaborate systems to implement data processing.
Further exemplifications of the roles of these two parties can be found in Article 24 and Article 28 of the new regulation. More details are given regarding, respectively, the obligations of the Data Controller, and the guidelines of actions and obligations towards the Controller for the Data Processor. They are both summarized here below.
Obligation of Data Controller
The Controller is subject to two principles: Data Protection by Design and Data Protection by Default.
The first stating that at the time of determining the purpose of data processing (data planning) and at the time of data processing (execution time) Controllers are advised to implement processes and take specific security measures in order to carry out data-related activities in compliance with the GDPR. This implies that the Controller is responsible for:
- Assessing risk for people’s rights and freedoms;
- Implementing proper security measures to guarantee data protection;
- Elaborating and adhering to codes of conduct.
The second principle, Data Protection by Default, points out the fact that Controllers should only process personal data serving a specific purpose, should collect data only if necessary and store them for a determined duration. This means, the Controller is responsible for:
- What data to collect;
- Where to store data, for how long and when to dispose;
- How to use data and for which purposes.
A further obligation of Data Controller is to ensure that the party chosen to be their Data Processor can guarantee and demonstrate its compliance with the GDPR.
Obligations of Data Processor
The data processor is mainly responsible for complying with instructions dictated by the data controller. It has no decisional power on what data to process, how to process it nor for which purpose. However, it has they key obligation to ensure and to help the data controller to perform its activities in compliance with GDPR. It is, therefore, mainly responsible for:
- Operating only under the instruction of the Data Controller — this also affects the use of other Processors, which need to be approved by the Controller;
- Implementing the right IT system to allow the Data Controller to collect data and fulfill its purposes;
- Implementing and assisting Data Controller to implement proper security measures to guarantee data protection — this includes ensuring confidentiality by those individuals who access data from the processor’s side.
- Assisting the controller in responding to any requests concerning the exercise of data-subject’s rights.
- Assisting the controller to be compliant with the GDPR.
- Being able to delete any personal data if required by controller.
- Adhering to codes of conduct outlined by the controller.
The regulation also recognizes the eventuality in which two companies perform as data controllers of the same data, a.k.a. Joint Controllers (Articles 26).
this occurs when more than one party is involved in determining the purpose and means of data processing. It is required for the joint controllers to fulfill the followings.
- They should be able to determine their respective responsibilities, compliance, and obligations towards the individual’s rights; this all in a clear, unambiguous, and transparent manner.
- The responsibilities of each controller are determined by the EU/member state laws to which the controllers are subjects.
- Data subjects need to be made aware of the responsibilities and duties that each controller has according to the arrangements made among controllers. This way, data subjects will know which of the controller to reach out to for complaints and/or requests.
However, it is important to outline that the distribution of responsibilities doe does not release a company from the responsibilities it has towards data subject, as the regulation clearly states that any data controller is liable for any damage occurred during processing activities unless proven that it is no way responsible (Article 82).
In conclusion, what you need to remember is that if you are deciding for what purposes and the means through which the data is collected, processed, and stored, you are the data controller. If you need instructions before performing any data processing activity, you are the data processor. However, the lower the level of supervision provided by Data Controller on Data Processor, the higher the likelihood of Data Processor becoming co-controller of data.
Hoping that this brief article helped you to identify the key differences between the two roles, if there is anything in this article that you believe requires rectification, please do not hesitate to get in contact.
However, I find extremely important to stress on the fact that this is not an official document from EU. Therefore, we strongly advise you to get in contact with your legal advisor before making any action.
To make it clearer, I gathered some examples which address various circumstances and should help you to further understand your role and responsibilities in the GDPR context.
Example 1 — Payroll Company
A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data.
The brewery is the data controller and the payroll company is the data processor.
Example 2 — Market Research Company
A biscuit manufacturing company delegated a market research company to conduct research. Provided recommendations on what they should target in their new product line to achieve the goal of reaching 10% market growth, with no additional data or conditions outlined. The marketing research company has the freedom to decide which individuals to target for the research, what kind of personal data to collect, what kind of personal data to store, storage mechanism, approaches of processing data, etc.
In this example “the purpose of the data processing and means of data processing” is decided by the marketing research company, this means marketing research company is a Controller under the GDPR regulations.
Example 3 — Payment Service Provider
A small online business owner needs a way to take payments from customers on your website. It uses a payments service provider (like PayPal), to capture personal information about its customers so that they can safely pay. The payments provider specifies that customers must provide their first and last names, address, and credit card details, and the small online business cannot change this, nor will it have access to this data once it is submitted by the customer.
In this case, the payment service provider is the Data Controller. This is because the small business has no say over what data is collected, how it is stored, and how it is used.
Example 4 — Small Business
A local shop wants to make sure to be discoverable on Google. It does not know much about website and contract a web agency to build and run a website for the shop. The orders are not made through the website. However, the local shop collects email addresses and contact details from visitors so that the web agency can send them marketing information. The website has a basic analytics system, like Google Analytics, that anonymously collects data about visitor behavior on your website.
Here, the local shop is the Data Controller. Although the shop doesn’t handle data on a daily basis, it has complete control over how data is collected and handled. This is because it has contracted the web agency to perform the processing for it. If wanted to, the shop could ask its web agency to provide all the contact details they have collected and begin to manage its own promotional marketing.
Example 5 — Marketing Agency
A marketing agency provides lead generation services to a software company. The activity often involves email marketing and cold calling on behalf of the software company. In order to do this, the client provides guidelines on the types of targets and decision makers to contact and outlines the purpose of the assignment. The marketing agency can therefore process personal data and build a database based on the client’s guidelines necessary to engage with appropriate individuals.
The marketing agency is the Data Processor. This is because all the interactions that the agency has with the personal data of individuals is performed on behalf of its client, the Data Controller. The latter is the party that outlines the scope of lead generation campaigns and decides which data to collect, while the agency is performing the processing in pursuit of its client’s guidelines. In this scenario, the marketing agency can’t use the data processed for any purposes beyond those stipulated in the contract with the client.
Example 6 — Service Provider (Multiple Controllers)
A car hire company contracts a vehicle-tracking company to install devices in its cars and monitor them, in order to recover cars in the case they go missing.
They specify that the tracking company should track all the cars and send back the location data to the hire company six hours after the end of the hire period, if the car has not been returned.
The vehicle-tracking company uses its expertise to decide which information to collect about the cars and their drivers and how to analyze it.
Both of the companies are the controllers in their own rights as the car hire company determines the overall purpose of data collection, and the vehicle-tracking company has enough freedom to decide which information to collect and how.
Example 7 — Call Centers
Company X outsources some of its operations to a call center and instructs the call center and instructs the call center to present itself using the identity of the Company X when calling the Company X’s clients.
In this case, Company X is the controller. Given the expectations of the clients and the way the Company X presents itself to them through the outsourcing company, the outsourcing company acts as a data processor for (on behalf of) the controller.
Example 8 — Promotional Advertising & Direct Marketing
Marketing company Z provides services of promotional advertisement and direct marketing to various companies. GoodProduct Z company concludes a contract with Marketing company Z, according to which the latter company provides commercial advertising for GoodProduct Z customers.
Marketing company Z behaves as Data Processor, because the purpose of data processing is outlined by GoodProduct Z, the Data Controller.
Example 9 — Promotional Advertising & Direct Marketing 2
Marketing Agency Y provides commercial advertising for various companies, among which Company A. Marketing Agency Y then decides to use Company A customer database for the purpose of promoting products of other customers.
In this case, Marketing Agency Y is acting as Data Controller — the decision to use Company A’s data for other clients signifies that Marketing Agency Y is outlining the purpose of data processing.