Defining data processing roles within a controller / processor contract requires a deep understanding of its obligations and liabilities if you are to make it a success remain compliant.
There is many a conversation taking place over the responsibilities and accountability of data controllers and data processors. Both have responsibilities under the GDPR, but their obligations to the regulation differs. Predominantly, data controllers have more accountability and liability, but processors have new responsibilities and new added layers of liability written into their roles.
I often hear the term “are you a controller or processor”, It’s not as simple of that of course. Although you cannot hold the controller and processor roles in a single data processing activity, you can if you are a service organisation hold the controller role in one process activity and be the processor in another processing activity. Organisations should look at their Data Processing Addendums and SCC Agreements and ensure that they are clear what role in that agreement they hold.
We will attempt to guide you through the descending mist on the subject in this article.
Stay with us to find out what areas of the regulation are relevant and apply to your operations most and how you need to work together with your partner / vendor to reach and maintain GDPR compliance.
Definitions of Controller and Processor
A data controller is: “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”
Data processors process personal data on behalf of the controller in the way instructed by the controller.and that extends to any sub- processor used by the processor..
Here’s an example:
Your online store captures email addresses and other personal data provided by both store visitors and store members for sales and marketing purposes. All the data collected is then sent on to Jon Doe Global Marketing Ltd for the purpose of utilising the information for email marketing, SEO, and social media campaigns.
By providing both the data and the processing activity instructions, then you are the data controller in the relationship and Jon Doe Global Marketing Ltd is the data processor.
If you were to provide the data but delegate to Jon Doe Global Marketing Ltd the means of processing the data , then you are both data controllers and Jon Doe Global Marketing Ltd is also the processor.
Why is there so much importance who provides the “purposes and means of processing?”
The GDPR differentiates between these roles for compliance purposes. The European Commission’s guidance holds the data controller to be the accountable party responsible for collecting, managing, and providing access to data.
For example, if a data subject exercised their right to request their data, the controller would access it from their servers or from the processor they contracted to handle the data.
Differing Roles for Controllers and Processors
The GDPR Regulations distinguishes between controllers and processors for the purpose of responsibility and accountability. As a result, each receives different assigned roles for GDPR compliance.
Let’s take more detailed look into each party’s role according to legislative requirements.
Only data controllers collect personal data from data subjects. As a result of this, data controllers are also responsible for determining their lawful basis to obtain that data.
Data controllers need to establish a lawful basis for collecting the data using one of the six bases for data collection featured in the GDPR and if the data includes special category data data controllers must also establish a basis for collecting and processing that data using one of one of the ten basis also featured in the GDPR.
- What data they collect
- How they store the information
- How they use the information
- Whom they share the data with
- Whether they share the data with third parties
- When and how they dispose of the data
As soon as a data processor becomes involved in the collection of data, they become a data controller and all of the above responsibilities apply.
Controllers are held accountable to only use data processors who follow the legislation. There should be detailed due diligence in the selection process of data processors. This usually takes the form of a due diligence questionnaire, and could include a data privacy audit. Where there is high risk involved then a DPIA must be carried out as part of the process.
Furthermore , at all times a data controller and data processor agree to work together, they must use a clearly defined contract to do so. The contract must outline the instructions the processor must follow when processing the data.
Include the following stipulated GDPR- information in each contract:
- Nature, purpose, subject, and full timeline of processing plan
- Controller rights and obligations
- Categories of data include
- Categories of data subjects
- Agreement to adhere to instructions
- Confidentiality issues
- Commitment to security and Article 32
- Terms of hiring sub-processors
- Evidence of compliance with Article 28
- Return and disposal of data
The design and introduction of a contract is the responsibility of the data controller. Data processors are accountable by law to follow the instructions provided by the controller.
If the controller fails to outline the required data processing activities and leaves the methods and means up to the processor, then the processor becomes a controller in the eyes of the law.
Data processors are not only accountable to uphold the terms of the contract. They must also inform the controller if something in the terms of the contract contravenes on any of the GDPR or other legislations.
Codes of Conduct or Certifications
In addition to having a contract, both controllers and processors must agree to a code of conduct or a recognized certification process that specifies how the agreement meets GDPR standards.
Read more about Codes of Conduct in Article 40
The GDPR holds data controllers accountable and responsible for the collection, use, and disposal of personal data in most cases.
However, previously data controllers were already liable under both European legislation and national law.
What’s new in GDPR is the added accountability and liability for data processors.
Under the GDPR , individuals whose data you hold may send queries or complaints to either the data controller or the data processor.
Data processors are liable when they work outside of instructions provided to them by the controller or when they violate the terms of the GDPR.
Both the controller and processor must ensure through sound security practices that they achieve and maintain compliance with the GDPR. Each party involved in the contract has an obligation to protect data from:
- Unauthorized access (both internal and external)
- Loss of Availability of the data
- Accidental loss
The GDPR outlines the measures in Article 32 and applies them to both controllers and processors equally.
Agreed security measures must be detailed in the contract, but the guidance also requires both parties to go one step further.
In addition to using adequate and appropriate security measures, both controllers and processors must adhere to the approved code of conduct or certification mechanism agreed upon.
The code of conduct is outlined in Article 40(2).
Data Protection Impact Assessments
Controllers must use data protection impact assessments whenever they instruct a processor to carry out a high-risk data processing activity. Each member states Supervisory Authority outlines what it considers to be high-risk activities.
Each Data Protection Impact Assessment (DPIA) must include a minimum of four essential elements:
- Description of the purpose of the process and the process itself
- Assessment of need for processing
- Evaluation of risks
- Measures applied to address and minimize risks
When should controllers carry out a data protect impact assessment?
Here are a few instances:
- Trying out new technologies
- Carrying out large scale profiling
- Extensive and systematic profiling
- Large scale processing of special category data
- Mixing or matching data from multiple sources
- Processing children’s data for marketing purposes
- Processing data that might cause physical harm if breached
Transparency is a crucial goal of the GDPR
Article 5.2 says that data controllers “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.”
Transparency should continue throughout the life of the data from collection to deletion.
Processors aren’t explicitly mentioned within in the text in the article.
Records of Processing Activities
Under Article 30 Data controllers are now required to keep records when the following criteria is met
- the processing is likely to result in a risk to the rights of affected employees (e.g. scoring, comprehensive monitoring, high risk resulting out of unauthorized disclosure or access, use of new technologies),
- the processing is not occasional or
- the processing includes special categories of data as referred to in Article 9 (1) (e.g. health data, biometric data, data related to political or philosophical beliefs) or personal data relating to criminal convictions and offences referred to in Article 10.
These records outline the basis for your data collection and include the details related to:
- Details of the controller
- Processing purposes
- Description of types of data collected
- Categories of data recipients
- Data transfers including data transferred to third countries
- Erasure details
- Overview of data security measures
Data processors also obligated to now keep records. Their records relate to the processes controllers ask them to carry out and include:
- Name and details of processor(s) and controller(s) and Data Protection Officer (if applicable)
- Categories of processing
- Data transfers to third countries or international organizations
- General description of security measures according to Article 32
All records must be both in writing and electronic form and should be ready to present to the Supervisory Authority if and when requested.
Reporting Data Breaches
Controllers must notify the Supervisory Authority and the data subject whenever a data breach results in the rights and freedoms of data subjects being put at risk. Reports made to the Supervisory Authority need to be submitted within 72 hours of finding the breach. Minor data breaches that do not require reporting to the Supervisory Authority must be documented in a data breach record.
If a processor finds a security breach, they must notify the relevant controllers impacted by the breach.
Appointing a Data Protection Officer
Both controllers and processors must appoint a Data Protection Officer (DPO) when they work with data and meet one or more of the following criteria:
- Are a public body
- Process large scale data requiring regular monitoring
- Hold special categories of data (including criminal conviction or offense data)
If appointed, a DPO’s role is to:
- Advise the organization about its role in data protection
- Monitor compliance with relevant legislation
- Help with impact assessments
- Work with relevant Supervisory Authorities
The DPO can be an internally appointed of outsourced to a DPO service provider.
Both data controllers and data processors have different obligations under the GDPR, but you’ll also find that their roles complement each other in reaching the goals of transparency and accountability.
Data controllers perform much of the regulatory resource intensive duties , while processors play a more prescriptive role. However, they both have new liabilities under the law that makes it essential for each to uphold their end of the contract . Working together promotes compliance and helps both parties avoid the new, hefty fines that come with violating the rules.
Relentless Data Privacy provide a full range of services and our new soon to be launched GDPR 24/7 platform where all of the above can be achieved in one place.