The eData Guide to GDPR
Determining whether and to what extent your company is subject to the General Data Protection Regulation (GDPR) is an important question for businesses across the United States and Europe. The GDPR has defined roles to help companies understand their responsibilities with respect to the processing of personal data. This installment of The eData Guide to GDPR discusses the respective roles of data controller and data processor, and what those terms mean for companies whose business may involve European contacts.
It is important to understand that the GDPR is indeed a law with global reach despite on its face being focused on protecting the personal data of its citizens and inhabitants. There are three main triggers for GDPR applicability. First, the GDPR regulates the processing of personal data by any legal person or company established in the European Union. Second, it regulates the processing of personal data by any legal person or company providing goods or services to individuals within the EU, which establishes the territorial scope of the regulation across the globe. Third, the GDPR regulates the processing of personal data belonging to data subjects in the EU when the processing relates to the monitoring of data subjects’ behavior taking place within the EU. Although this guide and the regulation itself usually use the term EU when referring to the GDPR’s scope, the regulation in fact applies to the European Economic Area (EEA), which includes the 28 EU countries plus Iceland, Lichtenstein, and Norway.
The GDPR imposes obligations on all types of organizations, large and small, across all industries, and on data controllers as well as data processors. The terms data controller and data processor have essentially the same definition under the GDPR as they did under Europe’s previous data protection regime, the EU Privacy Directive. “Data controller” is defined as an organization or person who determines the purposes and means of the processing of personal data (why and how data is processed). “Data processor” is defined as an organization or person who processes personal data on behalf of another—this is generally understood to mean an entity that processes personal data at the direction of a data controller. Per Recital 22, the GDPR applies directly to data controllers as well as data processors, unlike the EU Data Privacy Directive, which often imposed direct liability only to controllers. The terms data controller and data processor are defined this way in an attempt to convey responsibility, in both proactive and reactive ways. Proactively, processors and controllers are expected to effectively implement data protection measures and high levels of accountability. Reactively, controllers and processors must ensure that any infringements of privacy rights under the regulation are mitigated, corrected, and compensated for.
Understanding whether your company is a data controller or a data processor is important because the distinction will determine your responsibilities with respect to personal data. Ultimately, data controllers must be able to demonstrate that they have taken adequate steps to ensure that data is “processed lawfully, fairly and in a transparent manner.” Additional responsibilities for data controllers include taking steps to ensure only the minimum data needed for the specified purpose will be processed, and that the data is accurate. All of these responsibilities can be outlined in a set of rules put in place by the data controller at the outset of processing activities, a practice sometimes referred to as “privacy by design,” described in Article 25 of the GDPR. The data controller should then implement procedures to ensure compliance with the processing rules. Article 25 requires that data controllers carry out their data protection responsibilities by implementing appropriate technical and organizational measures (pseudonymization, for example), which can in turn be used to effect data protection principles (data minimization, for example), taking into account factors such as cost and the state of the art.
In contrast, data processors carry out the processing of data pursuant to data controller instructions. The GDPR requires that data controllers secure guarantees from all data processors that the processor will implement adequate technical and organizational measures for compliance. Data processor responsibilities include
- the execution of requests to be forgotten;
- if the processor is not established in the EU, the appointment of an EU representative;
- providing assistance to the data controller in conducting Data Protection Impact Assessments to properly address the processing of high-risk data; and
- timely breach notification.
Importantly, a processor may not appoint a subprocessor without prior written consent of the data controller, and that subprocessor must be subject to the same terms as the processor.
The GDPR requires that any data controller or processor established within the EU comply with its personal data regulations, whether or not processing takes place within the EU. In situations where one or more organizations together determine why and how data is processed, those organizations are known as “joint controllers.” Joint controllers are required under the GDPR to form an agreement specifying their respective responsibilities.
The European Commission has provided helpful examples of data controllers and data processors:
Controller and processor
A brewery has many employees. It signs a contract with a payroll company to pay the wages. The brewery tells the payroll company when the wages should be paid, when an employee leaves or has a pay rise, and provides all other details for the salary slip and payment. The payroll company provides the IT system and stores the employees’ data. The brewery is the data controller and the payroll company is the data processor.
Your company/organisation offers babysitting services via an online platform. At the same time your company/organisation has a contract with another company allowing you to offer value-added services. Those services include the possibility for parents not only to choose the babysitter but also to rent games and DVDs that the babysitter can bring. Both companies are involved in the technical set-up of the website. In that case, the two companies have decided to use the platform for both purposes (babysitting services and DVD/games rental) and will very often share clients’ names. Therefore, the two companies are joint controllers because not only do they agree to offer the possibility of “combined services” but they also design and use a common platform.