Controller vs. Processor
Article 4 defines data controllers and data processors as below:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
For example, if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.
This distinction is important for compliance. Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
New requirements for data processors under the GDPR
The GDPR introduces direct obligations for data processors for the first time, whereas the current Directive only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims by data subjects for the first time.
For starters, Article 28(1) states that:
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
In other words, data controllers, i.e. customers of data processors, shall only choose processors that comply with the GDPR, or risk penalties themselves. As supervisory authorities enforce penalties on controllers for a lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure their would be customers.
In addition, all processors are required to:
- Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3). In other words, a data processor may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.
- Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
- Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
- Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
- Notify data controllers without undue delay upon learning of data breaches (33.2)
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
A processor is further required to maintain a record of data processing activities if it qualifies for any of the following criteria (30):
- Employs 250 or more persons
- Processes data that is “likely to result in a risk to the rights and freedoms of data subjects”
- Processes data more than occasionally
- Processes special categories of data as outlined in Article 9(1)
- Processes data relating to criminal convictions
And a processor must appoint a DPO in select circumstances. Learn more here.
These new requirements will likely spawn closer coordination between data controllers and processors to ensure GDPR compliance. Existing contracts will need to be reviewed to ensure compliance, for instance clarity on the specified data processing that controllers instruct processors to perform.