The PwC DPO voice - How to tell the difference between a data controller and a data processor
N°16 - April 2018 edition
Do you remember staring contests as a child, where you desperately tried not to blink or laugh? Well, this seems like an appropriate analogy for the relationship between the data controller and the data processor when processing personal data, as distinguishing between one and the other can be very challenging.
Firstly, this is because the same personal data can be processed consecutively by the same entity, alternating between data controller and data processor. It is also because, regardless of the new concept of joint data controllers, the General Data Protection Regulation ("GDPR") has enhanced the data processor's obligations and responsibilities to the extent that it seems futile to enter into endless discussions between parties whenever there is a doubt.
In this context, given the potential for the various additional constraints imposed by a data processor’s clients, one may even wonder whether, in certain cases, a data processor might ultimately prefer to appoint itself as the data controller.
In theory, Opinion 1/2010 of the Article 29 Working Party specifies the set of indices that determine who the data processor or controller is. The main consideration is the degree of independence - the more independent you are, the more likely you are to meet the definition of data controller rather than data processor. The indices are as follows:
Like data controllers, data processors must comply with the GDPR's provisions. In other words, they must implement appropriate technical and organisational measures so that the data-processing operation that they are undertaking on behalf of the data controller meets the requirements of the GDPR and guarantees that the data subject's rights are protected.
In practice, this means the following:
In addition to the data-processing obligations in common with the data controller, the data processor must:
In parallel, the data processor’s obligations are reduced regarding:
Updates are required on a case-by-case basis, depending on the effort needed and the risks identified. Obviously, open-ended contracts pertaining to data that is sensitive in terms of its impact on data subjects must be prioritised over contracts that, for example, pose no risk or are nearing the end of their term.
In all cases and in accordance with the principle of accountability, these decisions must be justified.
Data Protection Officer
Partner, GDPR and Privacy Leader, PwC Luxembourg
Tel: +352 49 48 48 4173
Data Protection Officer, PwC Luxembourg
Tel: +352 49 48 48 2186
Tel: +352 49 48 48 4304