What are data processors / data controllers?
Unlike the Data Protection Act 1998, the GDPR places direct obligations on data processors to comply with certain data protection requirements which previously only applied to data controllers. This represents a significant change and will increase the risk profile of businesses which act as data processors such as data-centre providers, payroll processing businesses and cloud-storage companies.
Most contracts involving personal data will designate the parties as a data control or data processor. However, this does not determine a party’s status. The question of whether a party is a data controller or data processor is one of fact, and so it is important to understand the factors which are used to determine this.
Under the GDPR a data controller is a party which determines the purposes for, and means by which, personal data is processed. The more constrained a party is in how it can handle personal data, the less likely it is to be a data controller. Factors which can be looked at in determining whether a party is a data controller include:
- The level of instructions given to the party processing the data which determines the degree of independence a processor can exercise
- How closely a party monitors the processing activities
- The expertise of the respective parties
- The impression given to data subjects as to who has control over the processing of their personal data
If a party decides any of the following, it is most likely a data controller:
- whether to collect the personal data in the first place, and the legal basis for doing so
- what and whose personal data to collect
- the purpose the data is to be used for
- whether and who to disclose data to
- how an individual can exercise their rights in relation to the data (or whether an exemption is applicable)
- how long to retain the data for or whether to make non-routine amendments to it
Under the GDPR a data processor is a party that processes personal data on behalf of the data controller.
Obligations on data processors
The GDPR places direct obligations on data processors. These obligations include:
- Processing Agreements – data processors may only process personal data on behalf of data controllers where a written contract is in place which includes a number of mandatory terms. For more information click here.
- Compliance with instructions – data processors may only process personal data in accordance with the instructions of the data controller
- Sub-processors – data processors may not appoint sub-processors without the prior written consent of the data controller
- Record keeping – data processors must maintain records of their data processing activities
- Security – data processors must take appropriate data security measures
- Data breaches – data processors must inform data controllers of any data breaches suffered
- Data Protection Officers – data processors may (in certain circumstances) be required to appoint a data protection officer