Data protection law recognises two types of organisation: Controllers and Processors. A Controller is the party that makes decisions about what data will be processed, the purposes for which it is processed, how long it will be kept, who it will be shared with etc
A Processor acts only on instructions, it has no interest in the processing except that it is being paid for providing a service. At the end of the contract period the Processor will delete or return the records to the Controller, it has no interest in them that outlives the contract period.
A couple of examples are useful at this point.
Example 1: An employer is a Controller in respect of personal data relating to its employees. If the employer choses to outsource payroll the payroll service provider is a Processor, acting only on instructions.
Example 2: A company is a Controller in respect of its prospect database and, if it decides to send marketing emails using a mailing house, the mailing house is a Processor for that activity.
Even organisations that are Processors when they act for their clients, they will be Controllers in relation to their own employees and possibly other activities such as CCTV or even other client services.
Why does it matter whether organisations are Controllers or Processors?
It is important to correctly identify whether an organisation is a Controller or Processor because it impacts on contract terms. GDPR specifies that the contract must be in writing and the required content for a Controller to Processor agreement in Article 28. It also requires the Controller to carry out appropriate due diligence on the Processor’s arrangements for security of the personal data in transit and once under its control. It is expressly stated that responsibility for putting a data processing contract in place rests with the Controller.
Data sharing takes place Controller to Controller and should be subject to a written contract setting out individual responsibility to comply with GDPR, the limits of the data transfer and its purpose.
Groups of companies
The same rules around Controllers and Processors apply between group companies. DP law does not recognise marketing or trading groups. All identify as separate Controllers and possibly Processors. So if there is one company in a trading group that employs staff, it will be a Processor providing employees to work on behalf of other trading companies which do not employ staff. Alternatively one company in a group might provide expertise via its own employees as a service to other group companies and the arrangements need to be investigated to determine the status of the parties (ie Controller or Processor) in each case. It is not always easy to make the assessment as it is determined on the facts of the relationship. If there is a contract setting out the status of the parties it will go towards evidence but will not necessarily be the determining factor.
It is possible that one relationship might involve the parties in different roles, for example if joint Controllers share data but only one has access to the data it will also be a Processor on behalf of the joint Controller if it runs reports and sends them over to the other party.
Authority to do business
Some activities require authorisation or certification so these organisations will be Controllers for the authorised services in all cases, for example banks, insurance companies for underwriting, brokers for broking and lawyers for giving legal advice. So a bank processing a payment made to a Controller is also a Controller as the activity is regulated and the trading Controller is not able to process the payment itself.
We hope this article provides some information on the roles of Controller and Processor that is easy to grasp but if you need any help with data protection compliance feel free to contact us for a quote.
Mandy Webster, Data Protection Consultant