Chapter 3: Data Controllers and Data Processors

Data Controllers and Data Processors

The GDPR categorizes people and organizations on the basis of their relationship to personal data. These different categories confer very different roles and responsibilities. It's possible to be in one category in some respects, and a different category in others.

It's crucially important to understand which category you as a developer (or your company) occupy.

When processing personal data, you'll be doing so either as a data controller or a data processor.

In this chapter, you'll be figuring out which of these two roles you fall into, and what this means for your data protection practices.

People and Organizations According to the GDPR

No matter who you are, you'll feature in the GDPR in at least one role. We're going to focus on data controllers and data processors in this chapter, but let's take this opportunity to define some other terms as well.

Here are the four major players that feature throughout the text of the GDPR:

1. Data controller - A person or organization that "determines the purposes and means" of processing personal data. A data controller can be an individual, private company, public body or even a government - all that matters is that it has decided how and why personal data will be processed.

2. Data processor - An organization that "processes data on behalf of a data controller." A data processor is processing personal data because it has been asked to do so by a data controller. It must follow the data controller's instructions.

3. Data subject - An individual; an ordinary person, with rights and interests, to whom personal data relates. A data subject is a "natural person," not a "legal person." Legal persons can include companies and other organizations, who cannot own personal data.

4. Supervisory authority - An independent public body set up in each EU country to enforce the GDPR. Also known as a Data Protection Authority.

Try not to think of your role in the GDPR as defined by what you are. It is better determined by what you are doing with personal data, at any given moment.

Differences Between GDPR Data Controllers and Data Processors

A data controller can be thought of as the "data boss." A data controller takes the decision to process someone's personal data, in connection with a specific purpose. It also decides how this processing should occur.

A data processor is more like the data controller's employee. A data processor processes personal data in order to fulfill the data controller's purposes. Even if it has devised the method of processing that data, it can't be said to determine how personal data is processed in any given instance.

The following types of business will normally be acting as data controllers:

• Ecommerce stores
• Social media networks
• Insurance companies

The following types of business will normally be acting as data processors:

• Analytics providers
• Email marketing services
• Payroll companies

Case Study

Let's put this in context. We'll see how a company can be a data controller and a data processor, and work with data processors and other data controllers, all depending on the context.

BigPrint is a printing company. It has a mailing list. It collects email addresses via a web form and shares these with email marketing company Mailchimp. Mailchimp sends emails on BigPrint's behalf.

BigPrint is the data controller in this respect. Mailchimp is the data processor.

• BigPrint collects the personal data
• BigPrint shares the personal data with MailChimp
• BigPrint decides how often direct marketing emails are sent
• Mailchimp sends the emails using personal data provided by BigPrint

BigPrint also runs analytics on its website using Google Analytics. It uses Google Analytics to gain insights about web traffic and user behavior on its site.

BigPrint is also the data controller in this respect. Google Analytics is the data processor.

• Google collects the personal data

However:

• BigPrint determines how and why the personal data is processed
• BigPrint tells Google what personal data to collect
• BigPrint can access and modify the personal data

BigPrint receives an order from a client, a local art collector. The art collector is running an exhibition and wants BigPrint to print the invitations. The art collector shares the invitees' names and addresses with BigPrint.

BigPrint is the data processor in this respect. The art collector is the data controller.

• The art collector collects the personal data
• The art collector determines how and why the personal data is processed
• The art collector shares the personal data with BigPrint
• BigPrint processes the personal data by producing the invitations

The art collector makes a payment on BigPrint's website using PayPal.

PayPal is the data controller in this respect. BigPrint is also a data controller, but not in this context. The art collector is the data subject.

• PayPal determines what personal data is required to process the payment
• PayPal collects the personal data (credit card information or login data)
• PayPal contacts the acquiring bank to obtain the art collector's payment
• PayPal stores the personal data and is responsible for protecting it

Are You a GDPR Data Controller or a Data Processor?

We've seen that it is possible to be a data controller in some contexts and a data processor in others. However, there are different roles and responsibilities for each, and it's important to determine the primary role of your company.

Below is a table containing some questions about your relationship to personal data and data subjects. This should help you determine which category you fall into.

You may not know which of these apply you do yet. You can refer back to this section as you learn more about the GDPR.

Shared Responsibilities

There are a number of roles and responsibilities that both data processors and data controllers have in common.

For example, both data controllers and data processors must:

• Understand the GDPR
• Appoint a Data Protection Officer and/or an EU Representative if required (we'll be looking at this in detail later)
• Store and otherwise process personal data securely
• Only transfer personal data out of the EU with appropriate safeguards in place
• Make sure that there is a written contract in place whenever they are working together

Data Processing Records

Both data controller and data processors are also responsible for keeping extensive records of their data processing activities, but only if at least one the following applies:

• They are a company with over 250 employees
• The processing is not occasional
• The processing is could be high risk
• The processing involves "special category" (sensitive) personal data, or criminal conviction data. Special category data includes information about people's:
  • Race
  • Political views
  • Religion or beliefs
  • Sex life
  • Genetic, biometric or health data
  • Union membership

Where these records are required, both a data controller and data processor must provide:

• Their company's name and contact details, and those of its Data Protection Officer and/or EU Representative (if it has either)
• Details of any safeguards that are in place for international transfers of personal data
• A description of the technical security measures it has in place

For a data controller, these records must also contain information about:

• The purposes of the data processing
• The types of data subjects and personal data it processes
• The types of third parties it will share personal data with
• Storage periods for different types of personal data

For a data processor, these records must also contain information about:

• The name and contact details of each data controller it is working with
• The types of data processing it carries out for each data controller

Data Processing Agreement

It's absolutely crucial that all arrangements between a data controller and a data processor take place under a Data Processing Agreement. This is a legally binding contract.

The GDPR has very specific requirements for what this agreement must contain. The requirements for Data Processing Agreements are mostly contained in Article 28.

A Data Processing Agreement must contain details of:

• The subject matter, duration, nature, and purpose of the processing
• The categories of personal data that will be processed, and the categories of data subject
• The data controller's obligations
• The data processor's obligations

Here's an excerpt from Shopify's DPA. Here Shopify sets out some of its obligations as data processor:

Shopify is a large data processor, and so requires its clients to agree to this contract when they sign up to use its services. However, there are two things to note about this:

1. Not all data processors will have a standard Data Processing Agreement. If you're a data controller engaging a data processor, you may be required to produce one yourself.
2. Even where a standard Data Processing Agreement is offered by a data processor, the data controller must still ensure that the contract is valid and the data processor is GDPR-compliant.

Where a data processor subcontracts some data processing out to another processor (known as a subprocessor), they will also need a similar written contract in place for this arrangement.

GDPR Responsibilities of Data Controllers

Data controllers have a direct relationship with data subjects, and they have a direct interest in the end result of the data processing.

A developer may create an application or website that collects personal data. They will be the data controller if they (or their company) has also decided why this personal data should be collected.

A data controller must comply with the GDPR in full. There are some things that are particularly important for a data controller:

• Following the principles of the GDPR. These must also be followed by data processors, but most of the actual implementation of these principles is the responsibility of the data controller.
• Creating a Privacy Policy to be read by data subjects.
• Dealing with data subject rights requests directly with the data subject. The processor may be required to help access or modify data.
• Choosing data processors carefully and subject to due diligence.
• Carrying out a Data Protection Impact Assessment when required.
• Notifying the Data Protection Authority, and in some cases the data subjects, if a data breach has occurred.
• Paying a fee to a Data Protection Authority where applicable.

We'll be looking at many of these responsibilities in detail throughout this book.

Developer Case Study

Here's an example of how a developer might act as a data controller.

NewsBash has developed a news feed app, which asks users to create an account. The app asks for a first name, last name, and email address. If a user (data subject) creates an account, the app can remember the user's preferences, and the user can log in across multiple devices.

As the developer, NewsBash is controlling all the personal data in this scenario. It has decided how and why the personal data is collected. It is a data controller.

NewsBash must create a Privacy Policy, and it must facilitate data subject rights requests. It must also determine whether it has a legal basis for processing

NewsBash has been asking its users to consent to receive marketing communications, and has collected several thousand email addresses in a mailing list. NewsBash decides to outsource its marketing to an email marketing company.

Before sharing any personal data with this marketing company, NewsBash and the company must have a Data Processing Agreement in place.

NewsBash should consider whether the consent it has obtained from its users will allow it to share its personal data with this third party. If not, it may have to ask its users to consent to this separately.

In any case, NewsBash will need to update its Privacy Policy to reflect the new arrangement, and it must make its users aware that it has done this.

Responsibilities of GDPR Data Processors

Data processors do not generally have a direct relationship with data subjects, and they do not have a direct interest in the end result of the data processing.

A developer may create an application or website that collects personal data. They generally will be the data processor if this app or website is designed to be used by other companies, so long as these companies are deciding why personal data should be collected.

There are some responsibilities which are unique to a data processor:

• Processing personal data under the strict instructions of a data controller
• Appointing sub processors to do additional processing where required, but only with the written agreement of the data controller
• Helping the data controller with data subject rights requests if required
• Assisting the data controller with Data Protection Impact Assessments where required
• Notifying the data controller if a data breach has occurred

Developer Case Study

Here's an example of where a developer can act as a data processor.

VayCay is developing an app which allows employers to track their employees' vacation days. An employer can enter the names of their employees and make use of a calendar facility. The employer can allow employees to create their own accounts on VayCay's app, and book time off through a central system.

In this scenario, VayCay is a data processor and its users (the employers) are data controllers. The employer's employees are data subjects. VayCay and each of its users must have a Data Processing Agreement in place.

Even though VayCay's users are transferring personal data to it, they have determined the purposes and means of the processing. The users are responsible for creating a Privacy Policy for their employees (the data subjects).

The data controlled by VayCay's users is stored on VayCay's servers. Sometimes when an employee leaves a user's company, the employee submits a data subject rights request directly to VayCay, asking that their personal data is erased.

In this event, VayCay must contact the relevant user (employer) to let them know that there has been a request from a data subject. As the data controller, VayCay's users are responsible for deleting the data.

Because VayCay is receiving a large number of requests from data subjects, it decides to work with a customer service company. The company will receive requests from data subjects and communicate them to VayCay's users.

The customer service company is a subprocessor. Before VayCay shares any personal data with this subprocessor, it must obtain written permission from the relevant user (data controller). VayCay must have a written contract in place with its subprocessor, such as the one here from HubSpot:

Key Takeaways from This Chapter

The GDPR's model seems complicated at first, but in most situations, it should be obvious where you fit.

• Data controllers decide why and how personal data is processed
• Data processors process personal data on behalf of a data controller
• Data controllers have the most direct responsibilities over data subjects
• Data processors must help data controllers meet these responsibilities
• Data controllers and data processors must only work together under a Data Processing Agreement