Is my enterprise a data controller or data processor?
Every time you process personal data, you will do so either as a data controller or as a data processor. It is very important to know in which of these roles you are operating for each and every data processing activity you undertake. This is because the legal obligations you will bear, differ according to this qualification.
This section aims to clarify when your company will qualify as a data controller, or rather a processor.
Am I a controller or processor?
Answer yes or no to each one of the following questions
Did you take the initiative to start collecting or processing in any other way personal data?
Did you decide the purpose of the processing?
Did you decide which types of personal data are to be collected and from which types of individuals?
Are you giving instructions to another entity processing personal data, rather than following instructions from someone else?
Are you the party mainly benefiting from the result of the processing?
Do you have a direct relationship with the individuals concerned (e.g. a contract or employment)?
Do you monitor other entities’ execution of the service?
Is your enterprise visible to the individuals concerned? (Visibility comes with expectations from the individuals) The lower the visibility towards the individuals, the more likely you are a processor)
Are you the enterprise with the highest professional expertise?
The more you have indicated ‘yes’, the more likely you are a controller. Mainly ‘no’ answers indicate that you are probably acting as a processor. If you answered “yes” on the second question, you are a controller in any way.
Am I a joint controller ?
Answer yes or no to each one of the following questions
Do you have a common objective and purpose with other parties regarding the processing?
Are you using the same set of personal data for this processing as another controller?
Have you designed the process with another controller?
Do you have common information management rules with another controller?
In case you have indicated ‘yes’ once or more, you are most likely processing personal data as a joint controller.
Obligations and liability
If your enterprise is acting as a controller, you will carry the highest level of compliance responsibility: you will not only have to comply with all the data protection principles as well as all other GDPR requirements, you will also need to be able to demonstrate compliance.
Additionally, as a controller you are responsible for the compliance of your processor(s). Below you can find a short summary of all controller obligations under the GDPR.
For more guidance on your obligations and liabilities as a data processor, check out this guide by the French data protection authority (CNIL).
New under the GDPR is that processors also carry a limited number of specific legal obligations, however, a lower level of compliance responsibility will be applicable. In a scenario where your enterprise acts as a processor, your obligations are the following.
As a processor you can only process data in accordance with the controller’s instructions, unless you must process data pursuant to a legal obligation. If the latter is not the case and instructions were disobeyed, you will be requalified as a controller.
If a processor is responsible for a breach, it will be legally liable and individuals or supervisory authorities can bring claims for compensation and damages.
In a situation of joint controllership, you will also have to fulfil all obligations aimed at controllers.
For an overview of all these obligations, see section on Data controller.
Additionally, as a joint controller, you will need to draw up an agreement to establish clear arrangements with the other controller(s) regarding the division of duties, tasks and responsibilities, unless these are already determined by EU or Member State law.
A contact point should also be designated for individuals concerned, to which they can turn in case of questions or complaints.
Regardless of the agreement between joint controllers, joint controllership implies joint liability: each controller can be held fully liable, vis à vis affected individuals, for the entire damage caused. The data subject is thus entitled to bring a claim against whichever of the joint controllers he or she wishes. This is to ensure that the data subject is effectively compensated.
Afterwards, the joint controller who paid the compensation can seek to recover damages from any other joint controllers involved in the joint processing. An exemption exists only if the controller is not in any way responsible for the harm.
Data processing agreements
In practice, many companies turn to third parties to process personal data – also SMEs!
Think of an email client, a cloud storage service or website analytics software. In all these situations, the GDPR requires you to put in place a data processing agreement with all the third-party services providers.
A data processing agreement is a legally binding document between the controller and the processor, in writing or in electronic form. It governs the specificities of data processing (which type of data will be processed, for which purpose, on which ground will the processing take place etc.), as well as the relationship between the controller and the processor – including the rights and obligations.
Besides the fact that a data processing agreement is required by law, it also assures you that the data processor you are using is qualified and competent.
The European Data Protection Board (EDPB) wants companies to do more than just simply reiterate the GDPR provisions, it encourages to specifically define processes around the processor’s obligations. For example, determine specific steps for the processor to address an access request by an individual or to describe in detail the purpose and nature of the processing activities carried out on behalf of the controller, as well as the type of data processed, categories of individuals concerned and the duration of the processing. The Board also suggests including the list of the sub-processors as an annex to the agreement.
By not entering into a data processing agreement in cases where this is required, you will risk a fine!
For a template to help you draft a data processing agreement, click here.
Time for action!
Before engaging in any processing activities, make sure to assess whether you are a controller, processor or joint controller in relation to the processing activities taking place.
In case you are working with a processor, draft a data processing agreement between yourself and this processor, including certain mandatory provisions.
In case you are acting as a processor, make sure you do not go beyond the controller’s instructions as this potentially constitutes a violation of data protection legislation, resulting in your enterprise being liable