An important part of the GDPR is to know whether your organisation is controller or processor for a certain processing. In some cases, your organisation might even be joint controller with another organisation. We have written about this before but it can not be stressed enough. The rules for determining whether an organisation is controller or processor are clear in theory, but in practice, difficult considerations must be made. Moreover, it is important to know the consequences that are attached to the different roles.
Published November 10th 2020
Determine what your role is
The first aspect is to decide what your role is in the processing at hand. The legal status as a controller or processor must always reflect on the actual situation. It does not matter whether an entity is named controller or processor in a contract, if the entity in question in fact acts as the other.
The controller is the entity that determines the purpose and means of the processing. This means that a controller is a body that decides certain key elements about the processing: why the processing is taking place and how this objective shall be reached. In some cases, the controller is determined by law. In other cases, you have to see which entity has the factual influence over a certain processing. An assessment must be made regarding each individual processing. For example, if Company A and Company B work together to advertise an exhibition, Company A might be the controller for one processing related to the exhibition and Company B for another. The fact that Company A is the controller for the first processing does not mean that it is the controller for the second processing.
However, it is not always just one controller for a certain processing. Controllers might be jointly responsible. This is the case when the purpose and means of the processing are determined by more than one entity.
The assessment of joint controllership is simply put the same as the one made for controllers, with the difference that an entity does not decide the purpose and means of the processing on its own but together with another entity. In order for a controllership to be joint, the controllers must decide the purpose and means together. Both the purpose and the means of the processing must be determined by all entities concerned for it to be joint controllership. The determination of joint controllership should be carried out on a factual analysis on the purposes and means of the processing.
The processor process personal data on behalf of the controller. The processor is serving someone else´s interests and may not carry out processing for its own purposes. The processor is always a separate entity in relation to the controller.
Some of you might have noticed that the processer sometimes decides how to carry out the processing. For example, if a controller hires a processor to handle their IT and external storage, the processor might have a greater knowledge in these fields than the controller. Therefore, the processor has a possibility to decide some elements regarding how the processing is to be carried out without becoming the controller. These elements relate to more practical aspects of implementation, such as the choice for a particular type of hardware. The result of this is that the processor sometimes decides the means of the processing without becoming the controller. However, the processor can not decide the purpose of the processing without becoming the controller.
Responsibilities for controllers
The controller is responsible for compliance with the GDPR. The controller also has a duty to only hire processors that meet the security measures in the GDPR. This means that even though the processor might decide some elements regarding the means of the processing, the controller remains responsible for the implementation of appropriate technical and organisational measures. This duty does not end when the controller and processer sign a contract. Instead, the controller must verify the processor´s guarantees throughout the contract.
In order for the controller to be able to demonstrate the lawfulness of the processing, it is advisable to document at the minimum necessary technical and organisational measures in e.g. a contract between the controller and the processor. You can read more about a so called Data Processing Agreement here (in Swedish).
Responsibilities for joint controllers
The qualification of joint controllers will mainly have consequences in terms of allocation of obligations for compliance with data protection rules and in particular with respect to the rights of individuals. In a joint controllership, it becomes very important to determine which controller is responsible for compliance with the obligations in the GDPR. The joint controllers must therefore organise and agree on how and by whom the information to data subjects will be provided and how and by whom the answers to the data subject’s requests will be provided. This can be done in a so called Data Sharing Agreement (read more here). When regulating “who does what”, the controllers avoid blind spots, whereby some of the obligations in the GDPR are not fulfilled by either entity. This also ensures that the protection of personal data is not reduced. However, the data subject may contact either of the joint controllers to exercise his or her rights. Furthermore, both controllers are responsible for ensuring that they both have a legal basis for the processing.
As you can see, some requirements in the GDPR are applicable to all entities that are controllers – jointly or alone. Another example is the requirement for controllers to keep a record of processing activities. This must be done by each of the joint controllers. Do you have a record of processing activities? We at GDPR Hero are specialized in this area of the GDPR and will be more than happy to help you fulfil this requirement. Do not hesitate to contact us!
Responsibilities for processors
The processor must always comply with, and act only on, instructions from the controller. The processor shall not go beyond what is instructed by the controller. The processor must make sure that anyone it allows to process the personal data is committed to confidentiality and make sure to implement appropriate technical and organizational security measures. Moreover, the processor has an obligation to assist the controller and to make available all information necessary for the controller to demonstrate compliance.
It is not only the controller that has to demonstrate compliance with the GDPR. The processor shall also be able to demonstrate compliance. The GDPR lays down obligations directly applicable specifically to processors. Processors can be fined in case of non-compliance with the obligations of the GDPR that are relevant to them and both controllers and processors are directly accountable towards supervisory authorities. A processor can also be held liable or fined in case it acts outside or contrary to the lawful instructions of the controller.
GDPR Hero – the tool to help you!
According to the GDPR, both controllers and processors are many times obliged to keep records about their processing activities and to regulate the relationship between them.
In GDPR Hero, you can easily enter all the companies you transfer personal data to or receive personal data from. You will also have support from us, through e-mail, chat or phone.
Feel free to book a demonstration to learn more about how you can become GDPR-compliant. You can book the demo here.