- Why is it important to distinguish between controllers and processors?
- How do you determine whether you are a controller or processor?
- How does this apply in practice?
- Can you be both a controller and a processor of personal data?
The nature of your UK GDPR obligations will depend on whether you are a controller, joint controller or processor.Therefore, it is very important that you carefully consider your role and responsibilities in respect of your data processing activities, so you understand:
- your UK GDPR obligations and how to meet them;
- your responsibilities to individuals and supervisory authorities (including the ICO) and the penalties associated with non-compliance, such as fines and other enforcement powers; and
- how you can work with other organisations to ensure you process personal data responsibly and respect individuals’ rights.
Controllers (including joint controllers) have more obligations under the UK GDPR than processors do, because they decide what personal data is collected and why, and exercise ultimate control over the data. UK controllers must also pay a data protection fee unless they are exempt.
Processors have fewer obligations, but must be careful to only process personal data in line with the relevant controller’s instructions.
It is important to remember that an organisation is not by its nature either a controller or a processor. Instead you need to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.
You need to ask which organisation decides:
- to collect personal data in the first place;
- the lawful basis for doing so;
- what types of personal data to collect;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, to whom;
- what to tell individuals about the processing;
- how to respond to requests made in line with individuals’ rights; and
- how long to retain the data or whether to make non-routine amendments to the data.
These are decisions that determine the purposes and means of the processing. Therefore, if you make any of these decisions, it is likely that you are a controller.
However, within the terms of its contract with the controller, a processor may decide:
- what IT systems or other methods to use to collect personal data;
- how to store the personal data;
- the details of the security measures to protect the personal data;
- how it will transfer the personal data from one organisation to another;
- how it will retrieve personal data about certain individuals;
- how it will ensure it adheres to a retention schedule; and
- how it will delete or dispose of the data.
These lists are not exhaustive, but illustrate the differences between the controller’s and the processor’s roles. In certain circumstances, and where allowed for in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf. However, it cannot take any of the overarching decisions, such as what types of personal data to collect or what the personal data will be used for. Such decisions must only be taken by the controller.
The definition of a processor can be difficult to apply in the complexity of modern business relationships. In practice, there is a scale of responsibility in how organisations work together to process personal data. The key is to determine each party’s degree of independence in determining how and in what manner the data is processed as well as the degree of control over it.
At one extreme, one party (the client) will determine what personal data is to be processed and provide detailed processing instructions that the other party (the service provider) must follow. The service provider is tightly constrained in what it can do with the data and has no say at all over how it is processed. In this relationship the client is clearly the controller and the service provider is the processor.
However, it is far more common for a data controller to allow its processor discretion over how the processing takes place using its own expertise.
A bank hires an IT services firm to store archived data on its behalf – having ensured that the IT firm has given sufficient guarantees about the security of its systems and processes. The bank will still control how and why the data is used and determine its retention period. In reality the IT services firm will use a great deal of its own technical expertise and professional judgement to decide how best to store the data in a safe and accessible way.
However, despite this freedom to take technical decisions, the IT firm is still not a data controller in respect of the bank’s data – it is a processor. This is because the bank retains exclusive control over the purpose for which the data is processed, if not exclusively over the manner in which the processing takes place.
A private company provides software to process the daily pupil attendance records of a state-maintained school. Using the software, the company gives attendance reports to the school.
The company’s sole purpose in processing the attendance data is to provide this service to the school. The school sets the purpose – to assess attendance. The company has no need to retain the data after it has produced the report. It does not determine the purposes of the processing, it merely provides the processing service. This company is likely to be a processor.
A bank contracts a market-research company to carry out some research. The bank’s brief specifies its budget and that it requires a satisfaction survey of its main retail services based on the views of a sample of its customers across the UK. The bank leaves it to the research company to determine sample sizes, interview methods and presentation of results.
The research company is processing personal data on the bank’s behalf, but it is also determining the information that is collected (what to ask the bank’s customers) and the manner in which the processing (the survey) will be carried out. It has the freedom to decide such matters as which customers to select for interview, what form the interview should take, what information to collect from customers and how to present the results. This means the market-research company is a joint controller with the bank regarding the processing of personal data to carry out the survey, even though the bank retains overall control of the data because it commissions the research and determines the purpose the data will be used for.
A hospital is sending envelopes containing patient data to another health provider and contracts a delivery service to deliver them.
The delivery service is not processing the personal data contained in those envelopes. Although it is in physical possession of the envelopes, it has no idea what the envelopes contain and may not open them to access the content. For data protection purposes, the delivery service does not ‘process’ any personal data contained within those envelopes.
The hospital that chooses to use the delivery service is the controller responsible for the data contained in the envelopes. If the delivery service loses or misdirects an envelope containing highly sensitive personal data, for data protection purposes the controller that sent it is responsible for that loss. So the sender should think carefully about the type of service that is most appropriate in the circumstances.
An online retailer contracts a mail delivery service to deliver orders to customers. The customers can use a website to check the status of their order and track its delivery.
The retailer will be the controller for any personal data inside the package. The delivery service will not be a controller or a processor for any personal data contained inside the package, as it has no control over or access to that data.
However, the delivery company will be processing some personal data (eg the name and address of the customer) in order to deliver the package and provide the tracking service. Whether it is a controller or a processor for the tracking element of the service will depend on who makes the decisions. If the retailer makes the final decision on the tracking service to be provided and the delivery service merely follows the retailer’s instructions, then the retailer will be the controller and the delivery service is likely to be a processor. But if the delivery company independently decides on the tracking service provided to individuals without the retailer’s sign-off, it will be a controller.
Yes. If you are a processor that provides services to other controllers, you are very likely to be a controller for some personal data and a processor for other personal data. For example, you will have your own employees so you will be a controller regarding your employees’ personal data. However, you cannot be both a controller and a processor for the same processing activity.
In some cases, you could be a controller and a processor of the same personal data – but only if you are processing it for different purposes. You may be processing some personal data as a processor for the controller’s purposes and only on its instruction, but also process that same personal data for your own separate purposes.
In particular, if you are a processor, you should remember that as soon as you process personal data outside your controller’s instructions, you will be acting as a controller in your own right for that element of your processing.
If you are acting as both a controller and processor, you must ensure your systems and procedures distinguish between the personal data you are processing in your capacity as controller and what you process as a processor on another controller’s behalf. If some of the data is the same, your systems must be able to distinguish between these two capacities, and allow you to apply different processes and measures to each. If you cannot do this, you are likely to be considered a joint controller rather than a processor for the data you process on your client’s behalf.