The ICO produced guidance in 2014 to assist organisations in determining whether they are a controller or a processor and it can be accessed here (“Old Guidance”). This was since updated following the implementation of the GDPR and can be accessed (here) and (here) (“New Guidance”). We have set out below the key points to be aware of:
Determining whether a party is a controller or a processor
The New Guidance contains the following checklists for determining whether you are a controller or processor:
|Are we a controller?||Are we a processor?||Are we a joint controller?|
|We decided to collect or process the personal data.||We are following instructions from someone else regarding the processing of personal data.||We have a common objective with others regarding the processing.|
|We decided what the purpose or outcome of the processing was to be.||We were given the personal data by a customer or similar third party, or told what data to collect.||We are processing the personal data for the same purpose as another controller.|
|We decided what personal data should be collected.||We do not decide to collect personal data from individuals.||We are using the same set of personal data (e.g. one database) for this processing as another controller.|
|We decided which individuals to collect personal data about.||We do not decide what personal data should be collected from individuals.||We have designed this process with another controller.|
|We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.||We do not decide the lawful basis for the use of that data.||We have common information management rules with another controller.|
|We are processing the personal data as a result of a contract between us and the data subject.||We do not decide what purpose or purposes the data will be used for.|
|The data subjects are our employees.||We do not decide whether to disclose the data, or to whom.|
|We make decisions about the individuals concerned as part of or as a result of the processing.||We do not decide how long to retain the data.|
|We exercise professional judgement in the processing of the personal data.||We may make some decisions on how data is processed, but implement these decisions under a contract with someone else.|
|We have a direct relationship with the data subjects.||We are not interested in the end result of the processing.|
|We have complete autonomy as to how the personal data is processed.|
|We have appointed the processors to process the personal data on our behalf.|
The Old Guidance, although not updated, is still considered by the ICO to be useful. However the ICO does note that there are some subtle differences between the Old Guidance and the New Guidance; the key difference being how to determine whether an organisation is a controller or processor.
In paragraph 16 of the Old Guidance there is a list of decisions and if an organisation makes any one of those decisions, it will be a controller. In contrast, the New Guidance states that the more boxes that are ticked in the above checklists, the more likely it is that a party will fall within that particular category. Therefore, until the ICO clarifies which approach should be taken, we would advise applying both sets of checklists to determine an organisation’s data protection designation.
Can you be both a controller and a processor of the same personal data?
No – the ICO’s New Guidance is clear on this point; you cannot be both a controller and a processor for the same processing activity i.e. processing personal data for the same purpose.
However the New Guidance does acknowledge that you can be both a controller and a processor if you are processing the personal data for different purposes and if your systems and procedures can distinguish between the personal data you are processing in your capacity as controller and what you process as a processor. Where your systems cannot make this distinction and do not allow you to apply different processes and measures to each, the ICO considers that you are likely to be considered a joint controller rather than a processor. This is a new conclusion by the ICO and one that will have substantial ramifications because:
- The GDPR requires that joint controllers must have an arrangement in place that sets out agreed roles and responsibilities. The main points of the arrangement should also be made available to individuals (ideally in the form of privacy notices); and
- Joint controllers are joint and severally liable.
Additionally the New Guidance provides various examples of joint controllers and they appear to imply that any service provider who is not acting as a processor will be acting as joint controller with its customer (rather than a separate controller). We will be co-ordinating feedback on the New Guidance in the hope that the ICO will provide definitive examples of joint controllers. We are also aware that the European Data Protection Board will be publishing guidelines on the concepts of controller and processor over the next two years which should bring extra clarity.
In the meantime, we would strongly recommend that all organisations: (1) refer to the New Guidance when determining the data protection designation of a party; and (2) address the relevant joint controller relationship requirements in respect of any parties who would be deemed by the ICO to be joint controllers.