The EU General Data Protection (GDPR) divides the world of business into "data controllers" and "data processors." It sets out rules and obligations for both groups and regulates the way in which they work together.
Data controllers take on most responsibilities under the GDPR. But data processors are accountable for how they process personal data, too
Whenever a data processor works with a data controller, there must be an extensive contract or agreement in place that governs how the data processor operates. And data processors also have new, direct responsibilities under the law, over and above the requirement to comply with this contract.
It's important to understand who is responsible for what, and who might have to pay fines or compensation if something goes wrong. Let's take a look at where liability falls in certain situations.
Data Controllers and Data Processors
Data controllers and data processors work together to process the personal data of data subjects (individuals - for example a customer, or the user or a service).
A data controller/processor relationship generally arises where Company A asks Company B to carry out a service on its behalf. Carrying out this service might involve Company B processing personal data provided by Company A. In this case, Company A will be the data controller and Company B will be the data processor in this relationship.
Sharing personal data in this way is permitted under the GDPR. In fact, it's very common. But it is subject to certain rules. For example, a data controller must only share data with a data processor that can demonstrate its GDPR-compliance.
The most important thing to remember about this relationship is that it must be governed by a Data Processing Agreement (DPA). We'll be looking at this agreement in detail later.
What is a Data Controller?
A data controller "determines the purposes and means of the processing of personal data."
Anyone can be a data controller depending on their relationship with personal data. Broadly speaking, a data controller is a person or company who has identified a reason to process personal data, and then decided how to go about doing this.
Here are some examples of companies acting as data controllers:
- Amazon collects mailing addresses from its customers in order to send out their products.
- Facebook collects aggregate behavioral data and uses it to target ads.
- A YouTube personality collects email addresses from his fans to start a mailing list.
The GDPR is mostly written to regulate the conduct of data controllers. They have a lot of responsibilities, including:
What is a Data Processor?
A data processor "processes personal data on behalf of the [data] controller."
A data processor doesn't generally have the primary interest in the end result of an act of data processing. A data processor will certainly benefit from the processing. Otherwise, there would be little reason for them to carry it out. But they're processing personal data because someone has asked them to do so.
Here are some examples of companies that act primarily as data processors:
- MailChimp receives a list of email addresses and a brief from a client. It sends a series of marketing emails based on its client's instructions.
- Hotjar collects IP addresses and tracks the behavior of users of a website. It presents the website's owner with insights into how their site is used.
- Shopify receives customer data from a website controlled by a merchant. It provides a shopping cart facility and other ecommerce utilities.
The main responsibility of a data processor is to abide by a contract it has in place with the data controller. The data processor must not process any of the data controller's personal data if does not have written permission.
Under the GDPR, data processors also have direct responsibilities outside of the agreements they process under. We'll be looking at these later.
Can a Company Be Both a Data Processor and a Data Controller?
It isn't possible to be both a data controller and a data processor in relation to a single piece of personal data. Either you're determining the means and purposes of processing it, in which case you're a data controller; or you're processing it on someone else's behalf, in which case you're a data processor.
But almost every company that acts primarily as data processor will be a data controller in certain respects. It is important to be aware of these dual roles.
A company that normally acts a data processor will also be a data controller when it comes to:
- Its own customers' personal data. Each data controller customer will most likely provide the name and contact details of at least one person among their staff. While a company may normally act as a data processor, it isn't collecting this specific personal data on anyone's behalf - it is doing so for its own purposes.
- Its employees' personal data. Most companies, data processors included, will keep detailed records about its staff, including some highly sensitive information.
Whenever a company that primarily acts as a data processor is acting as a data controller in respect to a given set of personal data, it also carries all the responsibilities associated with controlling that personal data.
This means that it must, for example:
- Ensure that it has an appropriate legal basis for processing this personal data
- Alert its Data Protection Authority and, where appropriate, the individuals concerned in the event of a serious data breach
Where a company is acting as a data processor in respect to a set of personal data, the data controller will be responsible for fulfilling these duties.
It's advisable for any company to think carefully about its relationship with all the personal data in its possession.
When it comes to taking the ultimate responsibility for a set of personal data, the buck stops with the data controller, so it's crucial to know whether this is you.
Equally, if you're storing or otherwise processing personal data on another company's behalf as a data processor, you must ensure you have a DPA in place to legitimize this.
A Data Processor's Liability Under a DPA
Article 28 of the GDPR states that data processors may only process personal data subject to a written contract with a data controller. A DPA is a common name for this type of contract.
A DPA can be created by either a data controller or a data processor. It is the responsibility of both parties to ensure that one is in place. Many companies that primarily act as data processors have standard DPAs that they require data controllers to agree to (or negotiate).
What is Included in a DPA?
The GDPR provides a set of requirements for DPAs. Under Article 28(3) of the GDPR. Certain compulsory information must be present, including:
- Information about the processing, including its:
- Subject matter
- The types of personal data involved
- The categories of data subject (e.g. customers of the data controller)
- The obligations on the data controller
The DPA must also set out certain obligations on the data processor, including that it must:
- Only act on the written instructions of the data controller
- Ensure confidentiality
- Ensure security
- Only hire subprocessors under a written contract, and with the controller's permission
- Ensure all personal data is deleted or returned at the end of the contract
- Allow the data controller to conduct audits and provide all necessary information on request
- Tell the data controller immediately if something goes wrong
- Help the data controller, where required, with:
Can a DPA Be Used to Transfer Liability?
Remember that the data controller bears the most responsibility to data subjects. If a data processor fails to do what is required under a DPA, the data controller remains liable to data subjects and will usually have to pay any compensation itself.
However, if the losses occurred because the data processor breached a Data Processing Agreement, then the data processor will be liable to the data controller for breach of contract.
A DPA is a legally binding contract between parties. So it may also contain other terms, in addition to those compulsory terms above.
For example, a DPA can include "limitation of liability" or indemnity ("hold harmless") clauses. Such terms serve to govern how liability falls between the parties.
- An indemnity clause requires one party to cover any damages that it causes the other party by breaching the contract.
- A limitation (or exclusion) of liability clause limits the amount that one party will pay to the other in the event that it breaches the contract.
It is not possible to relieve either party of their responsibilities under the GDPR. If a data subject's personal data is processed unlawfully, they have a legal right to pursue compensation from a data controller.
A DPA can't relieve a data controller of its liability to a data subject or a Data Protection Authority, even if an incident is clearly the data processor's fault.
However, a DPA may be written to allow the data controller to recover this money from the data processor in such a scenario. Or, conversely, it may limit the extent to which this is possible.
Here are some examples of such clauses in real DPAs. Note that these aren't necessarily "good" or "bad" examples. They just may or may not be enforceable in certain countries.
Here's part of Go Ask Cody's DPA, with a noteworthy section highlighted:
Here's an indemnity clause from EventBrite's DPA:
And here's an example of a "liability cap" clause from ClickUp's DPA:
What if a Data Processor Processes Personal Data Outside of a DPA?
For a data processor, processing personal data outside of a DPA effectively means becoming a data controller. This could be worse than it sounds.
As explained above, the main obligation on a data processor is to always have a DPA in place. So long as a data processor is working to the instructions of a data controller, the data controller primarily remains liable to data subjects if things go wrong.
We've seen above that a company which primarily acts as a data processor will almost certainly also be a data controller in some respects. This is true whenever it determines the means and purposes of processing personal data in its own right.
But then there is the data that the company receives from the data controller, or collects on its behalf. This personal data can only be processed subject to a DPA.
If the company goes off course and starts processing personal data outside of this agreement, for example by gathering additional personal data that it has not been instructed to collect, or processing personal data in a way that has not been instructed, Article 28(10) of the GDPR states that it will be considered a data controller.
"Unintentionally" becoming a data controller in this way would be a very bad thing. It would expose the company to direct liability as a data controller.
To avoid incurring this additional liability, it must be clear at all times which role your company is fulfilling.
A Data Processor's Liability Outside of a DPA
The GDPR places new obligations on a data processor, over and above simply complying with a DPA. These are things the data processor must do whether or not they're included explicitly in the DPA.
What are a Data Processor's Own Responsibilities?
Under the GDPR's predecessor, the Data Protection Directive, data processors were only really liable under their contract with a data controller rather than the law itself.
The GDPR, however, imposes several legal obligations directly on data processors, including:
- Informing the data controller about any data breaches
- Processing personal data securely
- Cooperating with Data Protection Authorities
- Employing a Data Protection Officer and/or EU Representative, if appropriate
- Keeping records of data processing activities
- Conducting due diligence when hiring subprocessors
Failing to fulfill these obligations could mean that a data processor is liable to pay compensation to data subjects or pay fines to a Data Protection Authority.
What are Subprocessors?
Just like a data controller can hire a data processor to process personal data on its behalf, a data processor can hire a subprocessor. This subprocessor is still considered to be processing personal data on behalf of the original data controller.
Article 28(4) of the GDPR gives some requirements for data processors when they are hiring subprocessors.
For example, a data processor may only hire a subprocessor with written agreement from its data controller (this can be a general agreement)
There must be a Data Processing Agreement in place between the data processor and subprocessor that complies with the conditions under Article 28(3) (as above). This agreement must offer the same level of protection as the original DPA.
Is a Data Processor Liable for Its Subprocessors?
The data processor will be liable to the data controller for any damage caused by a subprocessor's violation of the GDPR.
So, let's say a subprocessor breaches its contract with its data processor, in a way that causes damage to a data subject. The following principles will apply:
- The data controller remains liable to the data subject, whether or not the incident was the fault of its data processor or the subprocessor.
- The data processor will be liable to the data controller for the money that the data controller paid to the data subject at point 1, even if the incident was the fault of its subprocessor.
- The subprocessor could be liable to the data processor for the money the data processor has paid out to the data controller at point 2.
This table sets out the activities for which data controllers and data processors are liable under the GDPR.
Note that a data processor may also be liable to its data controller if it breaches its DPA, and a subprocessor may be liable to its data processor.
Remember that a company that normally acts as a data processor will also be a data controller in certain respects. It must fulfill the obligations of a data controller whenever it acts as one.
|Determining a legal basis for processing
|Earning consent for processing (where appropriate)
|Facilitating data subject rights
||✗ (but must assist the controller)
|Processing personal data securely
|Notifying the Data Protection Authority and data subjects of a breach (where required)
||✗ (but must inform the controller)
|Only hiring data processors who are GDPR-compliant
||✔ (in relation to subprocessors)
|Keeping data processing records (if required)
|Only processing personal data under contract
|Only hiring additional processors with written agreement