GDPR Newsletter

The PwC DPO voice - How to tell the difference between a data controller and a data processor

N°16 - April 2018 edition

Do you remember staring contests as a child, where you desperately tried not to blink or laugh? Well, this seems like an appropriate analogy for the relationship between the data controller and the data processor when processing personal data, as distinguishing between one and the other can be very challenging.

Firstly, this is because the same personal data can be processed consecutively by the same entity, alternating between data controller and data processor. It is also because, regardless of the new concept of joint data controllers, the General Data Protection Regulation ("GDPR") has enhanced the data processor's obligations and responsibilities to the extent that it seems futile to enter into endless discussions between parties whenever there is a doubt.

In this context, given the potential for the various additional constraints imposed by a data processor’s clients, one may even wonder whether, in certain cases, a data processor might ultimately prefer to appoint itself as the data controller.


Case-by-case analysis

In theory, Opinion 1/2010 of the Article 29 Working Party specifies the set of indices that determine who the data processor or controller is. The main consideration is the degree of independence - the more independent you are, the more likely you are to meet the definition of data controller rather than data processor. The indices are as follows:

  • The extent to which the client instructs the service provider: how independent is the service provider when rendering its service?
  • The amount of control over the performance of the service: how much “surveillance” does the client have over the service?
  • Value added by the service provider: does the service provider have in-depth expertise in the field?
  • Amount of transparency when using the service provider: do the data subjects using the client’s services know the service provider's identity?

Common obligations

Like data controllers, data processors must comply with the GDPR's provisions. In other words, they must implement appropriate technical and organisational measures so that the data-processing operation that they are undertaking on behalf of the data controller meets the requirements of the GDPR and guarantees that the data subject's rights are protected.

In practice, this means the following:

  • Directly:
    • Respecting the principles governing the processing of personal data;
    • Appointing a DPO where required;
    • Maintaining a register;
    • Implementing data protection by design and by default;
    • Appointing representatives if the data processor is not established in the EU; and
    • Ensuring that the data is confidential, complete and available.
  • Indirectly:
    • Allowing the data subjects to exercise their rights; and
    • Drawing up a risk analysis where required.

 

Additional obligations

In addition to the data-processing obligations in common with the data controller, the data processor must:

  • draw up a contract or other legal act under EU law, specifying each party’s obligations and incorporating the provisions of Article 28 of the GDPR, as well as the nature, purpose and duration of the data processing, the type of data and the categories of data subjects;
  • draw up in writing its clients’ instructions regarding the processing of their data;
  • obtain its clients' written authorisation to process the data (or, at the very least, allow them to oppose to this processing); and
  • cooperate with its clients, inform them of the lawfulness of their instructions, and provide them with all the information necessary to demonstrate that it is in compliance with its obligations and to enable audits to be carried out.
     
Reduced obligations

In parallel, the data processor’s obligations are reduced regarding:

  • the deadline for informing clients in the event of a data breach ("not later than 72 hours after having become aware of it" is relaxed to "without undue delay").

What about contracts that are already running?

Updates are required on a case-by-case basis, depending on the effort needed and the risks identified. Obviously, open-ended contracts pertaining to data that is sensitive in terms of its impact on data subjects must be prioritised over contracts that, for example, pose no risk or are nearing the end of their term.

In all cases and in accordance with the principle of accountability, these decisions must be justified.

Cédric Nédélec
Data Protection Officer

Contact us

Frédéric Vonner
Partner, GDPR Leader, PwC Luxembourg
Tel: +352 49 48 48 4173
Email

Cédric Nédélec
Data Protection Officer, PwC Luxembourg
Tel: +352 49 48 48 2186
Email

Ludovic Raymond
Director
Tel: +352 49 48 48 4304
Email

Follow us