If your business operates in the European Union (EU) or handles EU residents' personal data, you're likely familiar with the General Data Protection Regulation (GDPR). This regulation sets strict rules for how personal data must be processed, stored, and transferred. But what happens when you outsource tasks to third-party vendors, like cloud providers, marketing agencies, or payment processors? If they mishandle data, are you on the hook for their GDPR violations?
The answer depends on whether you're a joint controller or an independent controller under the GDPR. Understanding this distinction is critical to managing your liability.
This article will break down the roles of joint and independent controllers under the GDPR, clarify their responsibilities as outlined in Articles 26 and 28, and provide you with sample contract language you can use to help mitigate risks when working with vendors.
- 1. Understanding GDPR Controller Roles
- 1.1. What are Joint Controllers?
- 1.1.1. What Liability Do Joint Controllers Have?
- 1.2. What are Independent Controllers?
- 1.2.1. What Liability Do Independent Controllers Have?
- 1.3. Processors vs. Controllers
- 2. Joint vs. Independent Controller: Key Risks
- 2.1. Joint Controller Risks
- 2.2. Independent Controller Risks
- 3. Article 26: What are a Joint Controller's Responsibilities?
- 4. Article 28: What are a Data Processor's Responsibilities?
- 5. What Contract Language Should You Include to Protect Your Business and Mitigate Liability?
- 5.1. What are Some Sample Clauses for Joint Controllers (Article 26)
- 5.1.1. Introduction
- 5.1.2. Data Subject Requests
- 5.1.3. Data Security
- 5.1.4. Data Breach Notifications
- 5.1.5. Transparency
- 5.1.6. Liability
- 5.2. What are Some Sample Clauses for Independent Controllers Using Data Processors (Article 28)?
- 5.2.1. Introduction
- 5.2.2. Scope of Processing
- 5.2.3. Security Measures
- 5.2.4. Sub-Processors
- 5.2.5. Data Subject Requests
- 5.2.6. Data Breach Notifications
- 5.2.7. Audit Rights
- 5.2.8. Return or Deletion of Data
- 5.2.9. Indemnification
- 6. What are Some Practical Steps to Mitigate Vendor-Related GDPR Risks?
- 7. Summary
Understanding GDPR Controller Roles
Under the GDPR, a controller is an entity that determines the purposes and means of processing personal data. In other words, it determines why and how personal data will be processed.
When you work with third-party vendors, both your business and the vendor may process the same data, which raises the question: who's responsible if something goes wrong? The GDPR distinguishes between joint controllers and independent controllers, and each role carries different liability implications.
What are Joint Controllers?
Under Article 26 of the GDPR, joint controllers are two or more entities that jointly determine the purposes and means of processing personal data. This often happens when you and a vendor collaborate closely, sharing decision-making about how data is to be used. However, it's also possible without there being a "direct" relationship at all.
An example of a joint controller with close, direct collaboration would be if your company hires a marketing agency to run targeted ad campaigns, you provide the customer data, and together you and the marketing agency come up with a plan for which data to use, how to segment audiences, and what ads to run. Both of you are joint controllers because together you determine the processing.
An example of a joint controller without a direct relationship would be a business owner who uses a Facebook Page as a marketing outlet. The business owner is a joint controller with Facebook. Both the business owner and Facebook would be responsible for complying with the GDPR in this case.
What Liability Do Joint Controllers Have?
Joint controllers are jointly and severally liable for GDPR violations. This means that data subjects or regulators can hold either party fully responsible for fines or damages, regardless of which of the parties caused the actual violation.
For example, in the example above, if the marketing agency fails to secure the data you share with it, your company could still face fines of up to €20 million or 4% of annual global turnover (whichever is higher).
What are Independent Controllers?
Independent controllers make decisions about processing data solely on their own, for their own purposes and means. There is no joint decision-making. Each independent controller is responsible only for their own processing activities.
An example would be if you use a payment processor to handle financial transactions for your ecommerce store. You share customer data with the payment processor for payment processing, but the payment processor independently determines how it's going to secure and process that data as part of providing its services. You're both controllers, but you act independently.
What Liability Do Independent Controllers Have?
Independent controllers are only liable for their own GDPR compliance. In the example above, if the payment processor suffers a data breach due to its own negligence, the payment processor is responsible for it. Not the ecommerce business, unless the ecomm business didn't do its due diligence before choosing that payment processor.
Processors vs. Controllers
It's also worth noting the role of a data processor, which acts on behalf of a controller under Article 28 of the GDPR. A processor doesn't decide the purposes or means of processing, but instead follows the controller's instructions.
For example, a cloud storage provider hosting your data is typically a processor. Processors have their own GDPR obligations, but controllers bear the primary responsibility for ensuring compliance.
Determining whether your vendor is a joint controller, independent controller, or processor is important. Misclassifying these roles can lead to unexpected liability and legal issues.
Joint vs. Independent Controller: Key Risks
Here's a side-by-side look at the key risks of joint and independent controller relationships with vendors:
Joint Controller Risks
- Higher Liability: You're fully liable for the vendor's GDPR violations, even if they caused the issue.
- More Complex Coordination: You must align with the vendor on GDPR compliance, including data subject requests and breach responses.
- More Regulatory Scrutiny: Joint controllers attract more attention from Data Protection Authorities (DPAs), as both parties are accountable.
Example of Risk: If a joint controller vendor suffers a data breach, you could face fines and reputational damage, even if your own security was flawless.
Independent Controller Risks
- Lower Liability: You're only liable for your own processing activities, not the vendor's.
- Due Diligence Required: You must ensure the vendor is GDPR-compliant before sharing data with them.
- Limited Control: You can't dictate how the vendor processes data for their own purposes.
Example of Risk: If an independent controller vendor misuses data, you're not liable unless you failed to verify their compliance.
In sum, joint controller relationships carry higher liability risks due to shared responsibility. Independent controller setups limit your liability but require thorough vendor vetting.
Article 26: What are a Joint Controller's Responsibilities?
Article 26 of the GDPR governs joint controllers. It requires them to do the following:
-
Define Roles and Responsibilities: Joint controllers must have a transparent arrangement/agreement (usually a contract) that outlines each party's GDPR obligations, including:
- Who handles data subject requests (requests to access, delete, etc.)
- Who ensures the security of the data
- Who notifies regulators in case of a data breach
- Inform Data Subjects: The arrangement's key details must be made available to data subjects, typically via a Privacy Policy.
Here's an excerpt of the beginning of a Joint Controller Agreement between two different companies. You can see how it declares that both parties are to be considered controllers, and that the agreement sets out the terms of the relationship with an aim towards legal compliance:
The agreement goes on to discuss the obligations of each party, stating that they each must comply with the GDPR. Note that this is just an excerpt of the obligations section:
Next, fulfilling data subject rights requests is addressed. Each party is to be responsible for fulfilling the requests it receives, and must communicate with the other party if the request relates to jointly-processed data:
The agreement sets out what must happen in the event of a personal data breach, noting that each party is responsible for fixing and mitigating damage from a breach they experience, and that the other party must be informed:
Article 28: What are a Data Processor's Responsibilities?
Article 28 of the GDPR applies when a vendor acts as a data processor. It requires the following:
-
Written Contract: There must be a contract in place between the data controller and processor (often called a Data Processing Agreement (DPA)) that details the following:
- The subject matter, duration, nature, and purpose of the data processing.
- The types of personal data and categories of data subjects that will be processed.
- The processor's obligations, including security measures, sub-processor approvals, and audit rights.
- Due Diligence: Controllers must choose processors that provide "sufficient guarantees" of GDPR compliance.
-
Processor Obligations: Processors must do the following:
- Process data only based on the controller's instructions.
- Implement appropriate security measures to protect the data.
- Assist with data subject requests, breach notifications, and impact assessments.
- Delete or return data after the contract ends.
Here's an excerpt from Oracle's DPA that notes how Oracle is the processor, and will process personal information on the controller's behalf. It notes how each party is responsible for compliance under its respective obligations, and that Oracle will process personal information in accordance with this and a related agreement. It notes the specific ways the personal information is to be used, including for hosting and storage, issue resolution, IT security purposes and others:
There's a robust security clause that states Oracle has implemented and will maintain appropriate security measures for the processing of the personal information:
Audit rights and assistance with Data Protection Impact Assessments (DPIAs) are addressed. Note that this is just an excerpt of a longer clause:
There's also a section addressing the return and deletion of personal information after the contract is terminated or completed:
What Contract Language Should You Include to Protect Your Business and Mitigate Liability?
To minimize GDPR liability when working with vendors, your contracts must clearly define roles, responsibilities, and safeguards. We looked at some examples from contracts above. Below, we provide some template-style sample contract clauses for joint controllers (Article 26) and processors (Article 28). These are starting points, but should be tailored to your business's unique and specific needs.
What are Some Sample Clauses for Joint Controllers (Article 26)
These sample clauses will help you define the responsibilities in a joint controller relationship.
Introduction
Start your contract with a simple statement that sets out the joint controller relationship, and that each party agrees to the rest of the terms.
Joint Controller Agreement
The Parties [Party A and Party B] acknowledge that they act as joint controllers under Article 26 of the GDPR with respect to the processing of personal data for [specify purpose, e.g., joint marketing campaigns]. The Parties agree to the following allocation of responsibilities:
Data Subject Requests
Set out which party is to handle data subject requests, and which party must provide support.
[Party A] shall handle all data subject requests (e.g., access, rectification, erasure) and respond within the GDPR's 30-day deadline. [Party B] shall provide reasonable assistance, including access to relevant data, within 5 business days of a request.
Data Security
Make each party responsible for having appropriate security measures in place.
Each Party shall implement technical and organizational measures to ensure the security of personal data, including [specify measures, e.g., encryption, access controls].
Data Breach Notifications
Set out timeframes for data breach notifications to the other party.
In the event of a personal data breach, the Party discovering the breach shall notify the other Party within 24 hours and the competent supervisory authority within 72 hours, as required by Article 33 of the GDPR.
Transparency
Require each party to be transparent and have valid Privacy Policies.
The Parties shall make the essence of this arrangement available to data subjects via their respective Privacy Policies, including contact information for both Parties.
Liability
Make a reference to liability and that the liability is joint.
Each Party shall be jointly and severally liable for GDPR compliance, except where one Party can demonstrate it is not responsible for a violation.
What are Some Sample Clauses for Independent Controllers Using Data Processors (Article 28)?
These sample clauses will help you define the responsibilities of a data processor.
Introduction
Start with an introductory clause that sets out the nature of the relationship.
Data Processing Agreement
The Processor agrees to process personal data on behalf of the Controller in accordance with Article 28 GDPR. The Processor shall:
Scope of Processing
Note that the processor must only process data according to explicit instructions provided by the data controller.
Personal data is to be processed only in accordance with documented instructions from the Controller, as outlined in Annex A (describing the subject matter, duration, nature, and purpose of processing; types of personal data; and categories of data subjects).
Security Measures
Require the processor to have security measures in place.
The processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including [specify measures, e.g., encryption, regular security audits].
Sub-Processors
Include a clause that limits what sub-processors the original processor can work with, and set parameters around it, like needing to get written approval, or banning it outright.
The Processor will not engage any sub-processors without prior written authorization from the Controller. The Processor shall ensure sub-processors are bound by equivalent obligations as this agreement.
Data Subject Requests
Require the processor to assist the controller with any data subject requests that relate to the processing.
Processor will assist the Controller in responding to data subject requests within the GDPR's 30-day deadline, providing relevant data or information within 5 business days.
Data Breach Notifications
Explicitly require the processor to swiftly notify the controller of any data breaches that occur that involve the controller's data.
The Processor will notify the Controller without undue delay, and no later than 24 hours, after becoming aware of a personal data breach.
Audit Rights
Maintain the right to audit the processor in order to prove ongoing compliance.
The Processor will make available all information necessary to demonstrate compliance and allow audits by the Controller or an authorized third party.
Return or Deletion of Data
Address how the data shared with the processor is to be handled at the end of the contract, such as by returning or deleting it to the controller.
At the Controller's choice, delete or return all personal data upon termination of services, unless EU or Member State law requires retention.
Indemnification
Limit the controller's liability by including an indemnification clause.
The Processor shall indemnify the Controller for any fines, damages, or costs arising from the Processor's breach of this agreement or its GDPR obligations.
What are Some Practical Steps to Mitigate Vendor-Related GDPR Risks?
Here are a few actionable steps you can take to protect your business from vendor-related GDPR liability:
- Determine the Vendor's Role: Before sharing any data, determine if the vendor is a joint controller, independent controller, or processor. Become clear on what their role is, if any, in deciding how and why data is processed.
- Conduct Due Diligence: Always vet vendors for GDPR compliance. Review their Privacy Policies, and ask to review things like security certifications and evidence of prior audits.
- Use Robust Contracts: Include clear GDPR-compliant contract clauses (like those above) in all of your vendor agreements. Specify roles, responsibilities, and liability allocation.
- Monitor for Ongoing Compliance: Regularly audit your vendors, review their security practices, and ensure they maintain GDPR compliance through the entire length of your contract with them.
- Update Your Privacy Policies: In your Privacy Policy, disclose your vendor relationships and that you share data with third parties or have a joint controller relationship.
- Train Your Team: Educate employees on GDPR obligations and vendor management to prevent accidental non-compliance.
- Consider Using a Vendor Management Tool: This can be an easy way to track compliance, contracts, and audit schedules for all third parties you work with.
Summary
Vendor relationships are a common aspect of running a business, but they do come with GDPR compliance risks. Whether your vendor is a joint controller, independent controller, or processor, understanding their role under GDPR Articles 26 and 28 is key to managing liability.
Joint controllers share full liability, which makes it critical to have very clear contracts in place that outline which party is to do what. Independent controllers limit your exposure to legal risks, but they require due diligence. Processors must follow your instructions, but you're responsible for choosing compliant partners.
By using the sample contract clauses provided and following our practical steps, you can minimize GDPR risks while maintaining productive vendor relationships.
The first step to compliance: A Privacy Policy.
Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.