13 February 2020
The EU General Data Protection (GDPR) divides the world of business into "data controllers" and "data processors." It sets out rules and obligations for both groups and regulates the way in which they work together.
Data controllers take on most responsibilities under the GDPR. But data processors are accountable for how they process personal data, too
Whenever a data processor works with a data controller, there must be an extensive contract or agreement in place that governs how the data processor operates. And data processors also have new, direct responsibilities under the law, over and above the requirement to comply with this contract.
It's important to understand who is responsible for what, and who might have to pay fines or compensation if something goes wrong. Let's take a look at where liability falls in certain situations.
Data controllers and data processors work together to process the personal data of data subjects (individuals - for example a customer, or the user or a service).
A data controller/processor relationship generally arises where Company A asks Company B to carry out a service on its behalf. Carrying out this service might involve Company B processing personal data provided by Company A. In this case, Company A will be the data controller and Company B will be the data processor in this relationship.
Sharing personal data in this way is permitted under the GDPR. In fact, it's very common. But it is subject to certain rules. For example, a data controller must only share data with a data processor that can demonstrate its GDPR-compliance.
The most important thing to remember about this relationship is that it must be governed by a Data Processing Agreement (DPA). We'll be looking at this agreement in detail later.
A data controller "determines the purposes and means of the processing of personal data."
Anyone can be a data controller depending on their relationship with personal data. Broadly speaking, a data controller is a person or company who has identified a reason to process personal data, and then decided how to go about doing this.
Here are some examples of companies acting as data controllers:
The GDPR is mostly written to regulate the conduct of data controllers. They have a lot of responsibilities, including:
A data processor "processes personal data on behalf of the [data] controller."
A data processor doesn't generally have the primary interest in the end result of an act of data processing. A data processor will certainly benefit from the processing. Otherwise, there would be little reason for them to carry it out. But they're processing personal data because someone has asked them to do so.
Here are some examples of companies that act primarily as data processors:
The main responsibility of a data processor is to abide by a contract it has in place with the data controller. The data processor must not process any of the data controller's personal data if does not have written permission.
Under the GDPR, data processors also have direct responsibilities outside of the agreements they process under. We'll be looking at these later.
It isn't possible to be both a data controller and a data processor in relation to a single piece of personal data. Either you're determining the means and purposes of processing it, in which case you're a data controller; or you're processing it on someone else's behalf, in which case you're a data processor.
But almost every company that acts primarily as data processor will be a data controller in certain respects. It is important to be aware of these dual roles.
A company that normally acts a data processor will also be a data controller when it comes to:
Whenever a company that primarily acts as a data processor is acting as a data controller in respect to a given set of personal data, it also carries all the responsibilities associated with controlling that personal data.
This means that it must, for example:
Where a company is acting as a data processor in respect to a set of personal data, the data controller will be responsible for fulfilling these duties.
It's advisable for any company to think carefully about its relationship with all the personal data in its possession.
When it comes to taking the ultimate responsibility for a set of personal data, the buck stops with the data controller, so it's crucial to know whether this is you.
Equally, if you're storing or otherwise processing personal data on another company's behalf as a data processor, you must ensure you have a DPA in place to legitimize this.
Article 28 of the GDPR states that data processors may only process personal data subject to a written contract with a data controller. A DPA is a common name for this type of contract.
A DPA can be created by either a data controller or a data processor. It is the responsibility of both parties to ensure that one is in place. Many companies that primarily act as data processors have standard DPAs that they require data controllers to agree to (or negotiate).
The GDPR provides a set of requirements for DPAs. Under Article 28(3) of the GDPR. Certain compulsory information must be present, including:
The DPA must also set out certain obligations on the data processor, including that it must:
Remember that the data controller bears the most responsibility to data subjects. If a data processor fails to do what is required under a DPA, the data controller remains liable to data subjects and will usually have to pay any compensation itself.
However, if the losses occurred because the data processor breached a Data Processing Agreement, then the data processor will be liable to the data controller for breach of contract.
A DPA is a legally binding contract between parties. So it may also contain other terms, in addition to those compulsory terms above.
For example, a DPA can include "limitation of liability" or indemnity ("hold harmless") clauses. Such terms serve to govern how liability falls between the parties.
It is not possible to relieve either party of their responsibilities under the GDPR. If a data subject's personal data is processed unlawfully, they have a legal right to pursue compensation from a data controller.
A DPA can't relieve a data controller of its liability to a data subject or a Data Protection Authority, even if an incident is clearly the data processor's fault.
However, a DPA may be written to allow the data controller to recover this money from the data processor in such a scenario. Or, conversely, it may limit the extent to which this is possible.
Here are some examples of such clauses in real DPAs. Note that these aren't necessarily "good" or "bad" examples. They just may or may not be enforceable in certain countries.
Here's part of Go Ask Cody's DPA, with a noteworthy section highlighted:
Here's an indemnity clause from EventBrite's DPA:
And here's an example of a "liability cap" clause from ClickUp's DPA:
For a data processor, processing personal data outside of a DPA effectively means becoming a data controller. This could be worse than it sounds.
As explained above, the main obligation on a data processor is to always have a DPA in place. So long as a data processor is working to the instructions of a data controller, the data controller primarily remains liable to data subjects if things go wrong.
We've seen above that a company which primarily acts as a data processor will almost certainly also be a data controller in some respects. This is true whenever it determines the means and purposes of processing personal data in its own right.
But then there is the data that the company receives from the data controller, or collects on its behalf. This personal data can only be processed subject to a DPA.
If the company goes off course and starts processing personal data outside of this agreement, for example by gathering additional personal data that it has not been instructed to collect, or processing personal data in a way that has not been instructed, Article 28(10) of the GDPR states that it will be considered a data controller.
"Unintentionally" becoming a data controller in this way would be a very bad thing. It would expose the company to direct liability as a data controller.
To avoid incurring this additional liability, it must be clear at all times which role your company is fulfilling.
The GDPR places new obligations on a data processor, over and above simply complying with a DPA. These are things the data processor must do whether or not they're included explicitly in the DPA.
Under the GDPR's predecessor, the Data Protection Directive, data processors were only really liable under their contract with a data controller rather than the law itself.
The GDPR, however, imposes several legal obligations directly on data processors, including:
Failing to fulfill these obligations could mean that a data processor is liable to pay compensation to data subjects or pay fines to a Data Protection Authority.
Just like a data controller can hire a data processor to process personal data on its behalf, a data processor can hire a subprocessor. This subprocessor is still considered to be processing personal data on behalf of the original data controller.
Article 28(4) of the GDPR gives some requirements for data processors when they are hiring subprocessors.
For example, a data processor may only hire a subprocessor with written agreement from its data controller (this can be a general agreement)
There must be a Data Processing Agreement in place between the data processor and subprocessor that complies with the conditions under Article 28(3) (as above). This agreement must offer the same level of protection as the original DPA.
The data processor will be liable to the data controller for any damage caused by a subprocessor's violation of the GDPR.
So, let's say a subprocessor breaches its contract with its data processor, in a way that causes damage to a data subject. The following principles will apply:
This table sets out the activities for which data controllers and data processors are liable under the GDPR.
Note that a data processor may also be liable to its data controller if it breaches its DPA, and a subprocessor may be liable to its data processor.
Remember that a company that normally acts as a data processor will also be a data controller in certain respects. It must fulfill the obligations of a data controller whenever it acts as one.
|Data controller||Data processor|
|Determining a legal basis for processing||✔||✗|
|Earning consent for processing (where appropriate)||✔||✗|
|Facilitating data subject rights||✔||✗ (but must assist the controller)|
|Processing personal data securely||✔||✔|
|Notifying the Data Protection Authority and data subjects of a breach (where required)||✔||✗ (but must inform the controller)|
|Only hiring data processors who are GDPR-compliant||✔||✔ (in relation to subprocessors)|
|Keeping data processing records (if required)||✔||✔|
|Only processing personal data under contract||✗||✔|
|Only hiring additional processors with written agreement||✗||✔|
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.