GDPR: Are you a processor or a controller?
Business Law Articles
View more from News & Articles or Primerus Weekly
Russell Advocaten B.V.
Amsterdam, Netherlands
The new European privacy regulation creates a great deal of confusion. Do you comply with the GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force. This European privacy regulation includes rules for (automatic) processing of personal data. By now, several months have passed and it turns out that companies unintendedly breach the new legislation often and on a large scale. In particular, it is unclear when one qualifies as a “processor” of personal data and when as a “controller”. This is crucial when it comes to introducing a Privacy Statement and concluding the required processing agreements. So how are the roles defined exactly?
The new European privacy legislation is intended to protect the privacy of EU citizens. The GDPR applies to all companies and institutions holding and processing personal data of EU citizens both within and outside the EU.
The GDPR requires organisations to make clear in advance which personal data they will be processing, for which purposes, who the personal data might have to be shared with, and how long personal data will be stored. This can be done by means of a Privacy Statementon the website of the organisation.
The controller is the organisation who, alone or jointly with others, will establish the purpose for and means of personal data processing. This person decides “why” and “how” personal data will be processed.
Under the GDPR, the controller is accountable; this means the organisation must be able to demonstrate that it complies with the GDPR rules. Part of this could be the aforementioned Privacy Statement on the company website. As almost every company processes personal data even if it’s just the data of their own personnel – you will soon qualify as a controller.
The processor is the party engaged by the controller to process personal data. In this situation, the controller defines ”what” has to be done and “how” it has to be done. It is important that the person who processes the data is not under the direct authority of the controller. An employee of the organisation itself will not be considered as a processor under the GDPR. Usually, the processor will be a party outside of the enterprise. Here are a few (easy) examples:
An administrative office engaged to process salary payments.
A cloud service provider offering IT solutions.
Under the GDPR the processor has several new obligations. Permission must be asked for hiring another processor (a so-called “sub-processor), data leaks must be reported and processing lists must be made.
Difficult cases
Sometimes it is rather difficult to say whether you deal with a “processor”’. A key factor is that there must be assessed how much scope a service provider has to determine what it does. As a processor you don’t have any control over the data processing. The processor may only act under the responsibility of the controller and upon its instructions. When the processor takes decisions by itself about the purposes and means of the processing it will become responsible for the (new) processing of data. This means, just the fact that you will get an assignment from a controller is not sufficient to qualify as a “processor”.
Some examples:
A cloud service provider provides a fitness-app for companies and for this purpose processes the personal data of members. The cloud service provider will qualify as a controller as it determines which kind of personal data will be processed and how they are used.
A cloud service provider offers data storage only. The cloud service provider will qualify as a processor as it will process the personal data on behalf of and upon instruction of the controller.
The decisive factor is thus: How much scope does the service provider have to independently determine the purposes and means to perform its task(s)?
Organisations can be both processor and controller. The aforementioned administrative office which processes the personal data of others will also be the controller of the personal data of its own employees.
Under the GDPR, the processor has been given several new independent obligations. The most important ones – which create a lot of confusion – must be included in the processing agreement. The purpose of the processing agreement is to lay down which data processing will be carried out by a processor on behalf of a controller.
Both controller and processor can be held accountable for the absence of the agreement. This means, both are required to conclude a processing agreement subject to a fine.
Content of processing agreement
A processing agreement mainly contains the obligations of a processor, such as:
Personal data are to be processed solely on the basis of written instructions from the controller.
Ensuring that employees processing personal data comply with confidentiality.
Taking suitable technical and organisational measures for the protection of the processing and, where possible, assisting the controller in doing so.
Requesting permission for hiring another processor (“sub-processor”).
Answering requests regarding the rights of data subjects under the law.
Deleting or returning of personal data, or deleting of existing copies upon completion of processing services.
Making available all information to the controller during inspections or to demonstrate the controller fulfils its obligation to use best efforts.
In addition, the following has to be included in a processing agreement:
the subject
the duration of processing
the nature and purposes of processing
the type of personal data
the categories of data subjects (persons whose data are processed)
the rights and obligations of the processor and controller.
Difficult cases
In practice, it is often unclear to companies who is a “processor” and who is a “controller”. As a result, in agreements the roles are often reversed and the person who places an order will be qualified as “processor”. As these persons have different responsibilities towards each other it is crucial to accurately determine whether you are a processor or a controller.
By now, the GDPR has been in force for several months. Under the GDPR, the controller and processor are required to comply with the stipulations of the regulation. If companies do not (yet) comply with the new legislation, they could be fined by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP). The penalty can be up to 20 million euros or 4% to the global annual turnover if that amount is higher.
Make sure to always conclude a processing agreement if you have third parties process personal data.
Get legal advice if you are not sure whether you are a processor or controller.
Would you like to know whether your company is “GDPR proof”? Would you like Russell Advocaten to draft a processing agreement or check your existing agreements? Please contact us.