One of the most complex questions raised by the General Data Protection Regulation (GDPR) is that of data controller vs. data processor.
Despite the data controller[1]and data processor[2]definitions provided in article 4 of GDPR, these two concepts remain difficult to ascertain when dealing with daily operations and the complex relationships between companies.
In its Opinion 1/2010 on the concepts of “controller” and “processor”[3], the European Data Protection Board (EDPB), then known as the WP29, mentions certain criteria that may help in determining the right role:
– The service provider’s level of autonomy: is the provider truly autonomous in the way it processes personal data? Or must it simply follow the controller’s instructions?
– The controller’s monitoring: does the service provider report to the controller? Does the controller have the ability to monitor the way it processes personal data, and to control its compliance to controller’s instructions?
– The provider’s visibility: are data subjects aware of the service provider’s existence? Do they know that they are dealing with the provider or do they perceive the controller as their sole point of contact?
– The provider’s expertise: does the provider’s work imply a traditional role and professional expertise? This criterion applies for example to an auditor who cannot be considered as a processor because of the very nature of his job.
All of these criteria certainly give a better idea on how to attribute roles to the different actors of data privacy.
Nevertheless, where doubt remains and a decision needs to be made in order not to impede the business, which role should a company choose for its provider?
1. Service provider as data processor: the good and the bad
Choosing the role of processor for a provider has many consequences on the parties’ relationship.
It automatically places the client company in a strong position: the processor has to follow its instructions and cannot process personal data for any purpose other than the one defined by the client. In that way, the client company retains control over its database.
It will also have the ability to enforce on the provider the most adequate security measures for the processing, and to control their proper implementation via audits.
However, this does not mean that it is always preferable to opt for this qualification. Audits may seem like an advantage, but they can quickly become a heavy burden on the controller, since it has an obligation to resort exclusively to processors who are compliant with GDPR and therefore to carry out proper verifications ensuring that compliance.
Furthermore, if a fine were to be imposed on the client company, it will only be able to demand from its processor a reimbursement equivalent to that processor’s responsibility in the alleged misconduct.
2. Service provider as independent or joint data controller: the good and the bad
As a reminder, the difference between an independent data controller and a joint data controller is as follows: an independent data controller is one that has defined the means and purposes of its own processing for its own benefit. A joint data controller has defined, jointly with another controller, the means and purposes of a processing that they chose to carry out together and that benefit them both.
Choosing the role of data controller for a provider, whether as an independent data controller or a joint data controller, implies further responsibilities for it.
A provider acting as independent data controller may decide to process personal data for purposes defined by the provider itself and that benefit the provider alone (such as direct marketing, reselling of database, etc.). The client company would then lose all control on the database, and it cannot give any instruction to its service provider regarding the personal data processing.
The client cannot force the provider to comply with the security measures of its choice, or to assist it such as a data processor must. However, if the parties act as joint controllers, it is possible to share certain obligations, especially relating to the management of data subjects’ requests, notification of data breaches to the competent authority or to data subjects, and carrying out data protection impact assessments.
Lastly, in the event that the client company is fined, it will be possible for it to clear itself of any responsibility by proving that the misconduct was completely caused by the other data controller: the service provider, and this whether it acts as an independent data controller or a joint data controller. The provider will then have to pay the entirety of the fine.
To conclude, one should not forget that the role given to a service provider will first and foremost depend on the legal analysis regarding its involvement in the data processing. The client company must not simply choose the role that suits it most and ignore the GDPR requirements and the recommendations of the EDPB.
Nevertheless, when it remains complicated to make the proper decision, the client company must always document its analysis and the justification of its final choice, and have them at the ready in case of a control by the competent authority.
[1]The data controller is « the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. » (art. 4-7 of GDPR).
[2]The data processor is « a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. » (art. 4-8 of GDPR).
[3]https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
By Marianne Saber