Determining whether and to what extent your company is subject to the General Data Protection Regulation (GDPR) is an important question for businesses across the United States and Europe. The GDPR has defined roles to help companies understand their responsibilities with respect to the processing of personal data. This installment of The eData Guide to GDPR discusses the respective roles of data controller and data processor, and what those terms mean for companies whose business may involve European contacts.
It is important to understand that the GDPR is indeed a law with global reach despite on its face being focused on protecting the personal data of its citizens and inhabitants. There are three main triggers for GDPR applicability. First, the GDPR regulates the processing of personal data by any legal person or company established in the European Union.[1] Second, it regulates the processing of personal data by any legal person or company providing goods or services to individuals within the EU,[2] which establishes the territorial scope of the regulation across the globe. Third, the GDPR regulates the processing of personal data belonging to data subjects in the EU when the processing relates to the monitoring of data subjects’ behavior taking place within the EU.[3] Although this guide and the regulation itself usually use the term EU when referring to the GDPR’s scope, the regulation in fact applies to the European Economic Area (EEA), which includes the 28 EU countries plus Iceland, Lichtenstein, and Norway.[4]
The GDPR imposes obligations on all types of organizations, large and small, across all industries, and on data controllers as well as data processors. The terms data controller and data processor have essentially the same definition under the GDPR as they did under Europe’s previous data protection regime, the EU Privacy Directive.[5] “Data controller” is defined as an organization or person who determines the purposes and means of the processing of personal data (why and how data is processed).[6] “Data processor” is defined as an organization or person who processes personal data on behalf of another[7]—this is generally understood to mean an entity that processes personal data at the direction of a data controller. Per Recital 22, the GDPR applies directly to data controllers as well as data processors, unlike the EU Data Privacy Directive, which often imposed direct liability only to controllers. The terms data controller and data processor are defined this way in an attempt to convey responsibility, in both proactive and reactive ways. Proactively, processors and controllers are expected to effectively implement data protection measures and high levels of accountability. Reactively, controllers and processors must ensure that any infringements of privacy rights under the regulation are mitigated, corrected, and compensated for.[8]
Understanding whether your company is a data controller or a data processor is important because the distinction will determine your responsibilities with respect to personal data. Ultimately, data controllers must be able to demonstrate that they have taken adequate steps to ensure that data is “processed lawfully, fairly and in a transparent manner.” Additional responsibilities for data controllers include taking steps to ensure only the minimum data needed for the specified purpose will be processed, and that the data is accurate. All of these responsibilities can be outlined in a set of rules put in place by the data controller at the outset of processing activities, a practice sometimes referred to as “privacy by design,” described in Article 25 of the GDPR. The data controller should then implement procedures to ensure compliance with the processing rules. Article 25 requires that data controllers carry out their data protection responsibilities by implementing appropriate technical and organizational measures (pseudonymization, for example), which can in turn be used to effect data protection principles (data minimization, for example), taking into account factors such as cost and the state of the art.
In contrast, data processors carry out the processing of data pursuant to data controller instructions. The GDPR requires that data controllers secure guarantees from all data processors that the processor will implement adequate technical and organizational measures for compliance.[9] Data processor responsibilities include
Importantly, a processor may not appoint a subprocessor without prior written consent of the data controller, and that subprocessor must be subject to the same terms as the processor.[10]
The GDPR requires that any data controller or processor established within the EU comply with its personal data regulations, whether or not processing takes place within the EU.[11] In situations where one or more organizations together determine why and how data is processed, those organizations are known as “joint controllers.” Joint controllers are required under the GDPR to form an agreement specifying their respective responsibilities.
The European Commission has provided helpful examples of data controllers and data processors:
Controller and processor
A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.
Joint controllers
Your company/organisation offers babysitting services via an online platform. At the same time your company/organisation has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of “combined services” but they also design and use a common platform.
[1] GDPR Art. 3(1).
[2] GDPR Art. 3(2)(a).
[3] GDPR Art. 3(2)(b).
[4] The GDPR: new opportunities, new obligations, p. 15, Publications Office of the European Union, 2018.
[5] See Directive 95/46/EC, Art. 2(d), (e) and GDPR Art. 4(7), (8).
[6] GDPR Art. 4. Also the European Court of Justice has suggested that a party that “organized, coordinated and encouraged” the collection of data could be deemed a data controller. Judgment of 10 July 2018, Tietosuojavaltuutettu, C-25/17, ECLI:EU:C:2018:551, paragraph 70.
[7] GDPR Art. 4.
[8] GDPR Art. 29, Working Party Opinion 1/2010 on the concepts of “controller” and “processor” (WP 169), p. 7.
[9] GDPR Recital 81.
[10] GDPR Art. 28(2), (4).
[11] GDPR Recital 22 and Art. 3(1). If, however a company offers goods or services to “data subjects who are in the Union,” then any personal data that company processes that belongs to a data subject in the EU is subject to the regulation. Note that the regulation requires something more than the fact that the company’s website can be accessed or its products or services can be purchased by someone in the EU to trigger applicability. The regulation states that the determination of whether a company is offering goods or services will take into account factors such as the use of a language or currency used in one or more of the EU member states with the possibility of ordering goods or services in that language, or references to customers in an EU member state. According to the European Commission rules regarding data protection rules for businesses and organizations, “Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”