Four months after the introduction of the General Data Protection Regulation (GDPR), reports on compliance rates are increasingly present. It appears that despite the efforts and financial investments made by many companies with a view to 25 May 2018, a large part of the companies is not yet in compliance with the provisions of the GDPR.
One of the reasons for this is, according to Wolfsen, the director of the Dutch Authority for Personal Data (the Dutch supervisory authority, similar to the Belgian Data Protection Authority, formerly the Privacy Committee), confusion about different notions in the GDPR, especially on the distinction between data controller and data processor.
The GDPR, nevertheless, puts the dichotomy quite simple. An entity is a controller if it “determines the purposes and means of the processing” and is a processor in the case of “processing of personal data on behalf of a controller”. Nevertheless, the distinction sometimes proves difficult in practice. Some companies try to point the finger at one another for responsibility or try to contractually allocate roles. However, an incorrect qualification can result in companies trying to meet the wrong GDPR obligations. This brings us to the question: "what is meant by purpose and means of the processing, and when are you considered to determine them"?
The controller is the entity who determines the purpose and means of the processing, in other words the one who determines the 'why' and 'how' of the processing. Examples of purposes include optimizing the surfing experience on a website or providing personalized advertising. Contrary to what the term "means of processing" might suggest, it does not solely refer to the technical modalities of processing, such as for example the use of cookies, but also includes for example the determination of the type of data that will be processed, as well as the determination of the retention period of the data. A typical example of a controller is an employer.
When the means are determined on behalf of the controller, the answer is less clear cut. The question to be asked here is whether the processor decides upon the essential elements of the means. If the processor determines only the technical and organizational aspects, it is unlikely that this would be the case. An example is the provision of cloud storage.
On the other hand, if the processor decides on for example the retention period of personal data or the transfer of data to third parties, he would not qualify as an actual processor, but rather as a controller. Moreover, when an entity that qualifies itself as a processor had a share in determining the purposes underlying the processing, it will rather be qualified as a controller.
This share can consist of using the processed data to one's own benefit, for example by providing add-on services, or by merely influencing the determination of purposes. This follows from the Wirtschaftsakademiejudgment in which the German Wirtschaftsakademie, which did not have access to the processed personal data, was held a joint controller (with Facebook) on the basis of the advantage that Wirtschaftsakademie derived from the processing and the influence it had on determining the purposes of the processing.
It follows from the above that determining the distinction between controller and processor is a matter of fact. The qualification must be decided on a case-by-case basis and cannot be laid down in a contract if it does not correspond to reality.
The importance of the distinction between controller and processor lies in the difference in obligations and responsibilities that both qualifications entail. The controller bears the main responsibility for the processing. For example, the controller will be responsible for compliance with the GDPR by the processor, obtaining legal permission and granting rights to the data subjects, such as the right of access (with or without the help of the processor). If you are a processor, you must, among other things, process the personal data in accordance with the purposes determined by the controller, inform the controller of data leaks and cooperate in compliance checks with the GDPR.
If you are mistaken about your role or your contractually determined role does not correspond to reality, there may be an incorrect qualification and you may not meet the correct obligations of the GDPR, which may result in a sanction or administrative fine.
Do you have a legal question about the qualification of your company as a controller or as a processor and the associated GDPR obligations? International law firm time.lex can help you with the correct qualification. Want to know more? Please contact time.lex for a non-binding introduction.