The relation between controller and processor and the allocation of the respective roles in the data process is one of the most talked about topics since the GDPR enforcement.
A lot of service providers faced the challenge of being defined by their clients as a data processor. There were cases where it was relatively easy to define a service provider a as processor and there was some more complicated case in which it was not so easy to allocate the roles.
European Data Protection Board adopted Guidelines on the concepts of controller and processor in the GDPR. Currently the guidelines are open for public consultation. Later on, a final version will be adopted.
The Guidelines provide some instructions and discuss each role but do not give a specific answer to common cases in the day to day data protection industry.
The most significant outline is that each case must be evaluated on its own merits. And in this particular case, each role must be allocated and defined based on the specifics of the facts and relations between the parties.
Some legal background on the matter
The concepts of controller, joint controller and processor are functional concepts in that they aim to allocate responsibilities according to the actual roles of the parties and autonomous concepts in the sense that they should be interpreted mainly according to EU data protection law.
A controller is a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.
A processor is a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. Two basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf.
How to define a controller role?
The controller concept refers to the controller’s influence over the processing, by virtue of an exercise of decision-making power. A controller is a body that decides certain key elements about the processing. This controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. One should look at the specific processing operations in question and understand who determines them, by first considering the following questions: “why is this processing taking place?” and “who decided that the processing should take place for a particular purpose?”
The concept of controller is a functional concept, it is therefore based on a factual rather than a formal analysis. In most situations, the “determining body” can be easily and clearly identified by reference to certain legal and/or factual circumstances from which “influence” normally can be inferred, unless other elements indicate the contrary. Two categories of situations can be distinguished: (1) control stemming from legal provisions; and (2)control stemming from factual influence.
There are cases where control can be inferred from explicit legal competence e.g., when the controller or the specific criteria for its nomination are designated by national or Union law. Where the controller has been specifically identified by law this will be determinative for establishing who is acting as controller.
However, more commonly, rather than directly appointing the controller or setting out the criteria for its appointment, the law will establish a task or impose a duty on someone to collect and process certain data. In those cases, the purpose of the processing is often determined by the law. The controller will normally be the one designated by law for the realization of this purpose, this public task. For example, this would be the case where an entity which is entrusted with certain public tasks (e.g., social security) which cannot be fulfilled without collecting at least some personal data, sets up a database or register in order to fulfil those public tasks. In that case, the law, albeit indirectly, sets out who is the controller. More generally, the law may also impose an obligation on either public or private entities to retain or provide certain data. These entities would then normally be considered as controllers with respect to the processing that is necessary to execute this obligation.
In the absence of control arising from legal provisions, the qualification of a party as controller must be established on the basis of an assessment of the factual circumstances surrounding the processing.
All relevant factual circumstances must be taken into account in order to reach a conclusion as to whether a particular entity exercises a determinative influence with respect to the processing of personal data in question.
In practice, certain processing activities can be considered as naturally attached to the role or activities of an entity ultimately entailing responsibilities from a data protection point of view. This can be due to more general legal provisions or an established legal practice in different areas (civil law, commercial law, labour law etc.). In this case, existing traditional roles and professional expertise that normally imply a certain responsibility will help in identifying the controller, for example an employer in relation to processing personal data about his employees, a publisher processing personal data about its subscribers, or an association processing personal data about its members or contributors. When an entity engages in processing of personal data as part of its interactions with its own employees, customers or members, it will generally be the one who factually can determine the purpose and means around the processing and is therefore acting as a controller within the meaning of the GDPR.
If one party in fact decides why and how personal data are processed that party will be a controller even if a contract says that it is a processor. Similarly, it is not because a commercial contract uses the term “subcontractor” that an entity shall be considered a processor from the perspective of data protection law.
The object of the controller’s influence, is “purposes and means” of the processing. It represents the substantive part of the controller concept: what a party should determine in order to qualify as controller.
Determining the purposes and the means amounts to deciding respectively the “why” and the “how” of the processing: given a particular processing operation, the controller is the actor who has determined why the processing is taking place (i.e., “to what end”; or “what for”) and how this objective shall be reached (i.e. which means shall be employed to attain the objective).
Essential vs. non-essential means
The question is where to draw the line between decisions that are reserved to the controller and decisions that can be left to the discretion of the processor. Decisions on the purpose of the processing are clearly always for the controller to make.
As regards the determination of means, a distinction can be made between essential and non-essential means. “Essential means” are closely linked to the purpose and the scope of the processing and are traditionally and inherently reserved to the controller. Examples of essential means are the type of personal data which are processed (“which data shall be processed?”), the duration of the processing (“for how long shall they be processed?”), the categories of recipients (“who shall have access to them?”) and the categories of data subjects (“whose personal data are being processed?”). “Nonessential means” concern more practical aspects of implementation, such as the choice for a particular type of hard- or software or the detailed security measures which may be left to the processor to decide on.
The concept of a controller can be linked either to a single processing operation or to a set of operations. In practice, this may mean that the control exercised by a particular entity may extend to the entirety of processing at issue but may also be limited to a particular stage in the processing.
It is not necessary that the controller actually has access to the data that is being processed. Someone who outsources a processing activity and in doing so, has a determinative influence on the purpose and (essential) means of the processing (e.g. by adjusting parameters of a service in such a way that it influences whose personal data shall be processed), is to be regarded as controller even though he or she will never have actual access to the data.
How to determine who is а processor?
Two basic conditions for qualifying as processor are:
- a) being a separate entity in relation to the controller and
- b) processing personal data on the controller’s behalf.
The first is self-explanatory. Processing personal data on the controller’s behalf firstly requires that the separate entity processes personal data for the benefit of the controller. Secondly, the processing must be done on behalf of a controller but otherwise than under its direct authority or control. Acting “on behalf of” means serving someone else’s interest and recalls the legal concept of “delegation”.
The EDPB recalls that not every service provider that processes personal data in the course of delivering a service is a “processor” within the meaning of the GDPR. The role of a processor does not stem from the nature of an entity that is processing data but from its concrete activities in a specific context. The nature of the service will determine whether the processing activity amounts to processing of personal data on behalf of the controller within the meaning of the GDPR. In practice, where the provided service is not specifically targeted at processing personal data or where such processing does not constitute a key element of the service, the service provider may be in a position to independently determine the purposes and means of that processing which is required in order to provide the service. In that situation, the service provider is to be seen as a separate controller and not as a processor. A case-by-case analysis remains necessary, however, in order to ascertain the degree of influence each entity effectively has in determining the purposes and means of the processing.
The EDPB notes that a service provider may still be acting as a processor even if the processing of personal data is not the main or primary object of the service, provided that the customer of the service still determines the purposes and means of the processing in practice. When considering whether or not to entrust the processing of personal data to a particular service provider, controllers should carefully assess whether the service provider in question allows them to exercise a sufficient degree of control, taking into account the nature, scope, context and purposes of processing as well as the potential risks for data subjects.