The extent to which an organization is subject to obligations under EU data protection law depends on whether or not they are a ‘data controller’. Generally speaking, a party that handles personal data on behalf of the data controller is known as a ‘data processor’ and is subject to far fewer obligations under the law. However, it’s often far from clear who’s the controller and who’s the processor, so here are some guidelines to help you reach a conclusion.
Am I the ‘controller’ or the ‘processor’?
Control, rather than possession, of personal data is the determining factor here. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. By contrast, a data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees). This could include anything as seemingly trivial as, for example, storage of the data on a third party’s servers, or appointing a data analytics provider.
Can I be both?
That sounds straightforward enough, but often the arrangements are not that simple. It is perfectly possible for two separate organizations to be data processors of the same data. Taking the example above, one organization runs the analytics whereas another organization stores the data – both are data processors of the data.
Similarly, the same organization can be both a data controller and data processor. Taking the example one step further, if our analytics provider runs a customer’s data through its systems, the provider will be the processor of that data. However, the analytics provider may hold any number of other data sets, perhaps which it uses in its analytics tools. If the analytics provider is entitled to determine the way in which that other data is used, it will be the controller of that data.
OK, what does this all mean for me?
As data controller, you’ll be subject to a number of requirements under EU law, for example you must:
- notify the relevant national authority before carrying out any data processing.
- comply with European data protection principles, e.g. processing data fairly and lawfully, and using data for specific, legitimate purposes.
- provide certain information to individuals about whom you hold personal data, e.g. your identity, details of the data you hold and what you plan to do with it.
- implement technical and organizational measures to protect personal data against accidental loss/destruction, unauthorized access or other unlawful processing.
- enter into written agreements with your processors that require them to (a) act only on your instructions and (b) comply with the same security obligations as are imposed on you under the applicable national legislation.
I’ve heard the rules are changing – will that make a difference?
The General Data Protection Regulation, which came into force on 25 May 2018, imposes new obligations on data processors. In particular, processors will:
- have to maintain a record of all processing operations under their responsibility.
- be deemed to be a joint controller in respect of any data processing that it carries out beyond the scope of the controller’s instructions.
- be directly responsible for implementing appropriate security measures.
- need to inform a controller immediately of any data breach.
- need to appoint a Data Protection Officer if certain criteria are met.
This will represent a significant change for data processors, who (under the current regime) can avoid direct liability under the law. Given the heavy fines that can be imposed for breaches of the new GDPR, processors will need to familiarize themselves with the new rules. Detailed analysis may be required to determine, for example, whether you need a Data Protection Officer or if your activities are outside the scope of a controller’s instructions. But now that you know whether you’re a data processor or controller, you’re off to a good start on your European data protection journey!