Introduction
In the complex landscape of data protection, understanding the roles of data processors and data controllers is crucial to General Data Protection Regulation (GDPR) compliance. Although the GDPR makes a clear distinction between these roles, there are situations where data processors see themselves stepping into the role of data controllers, so to speak.
In this article, we explore scenarios outlined by the GDPR that lead to this transformation, shedding light on the responsibilities and implications for organizations involved.
When Data Processors Become Data Controllers: Revealed Scenarios
-
Processing of Own Personal Data
Imagine a scenario in which Company X, a bank, hires Company Y, a Business Process Outsourcing (BPO) company, to provide customer service on their behalf. While Company Y processes customer data as required by Company X, it may also collect and manage personal information about Company X’s employees for internal purposes. In this case, Company Y becomes a data controller for the employee data it has collected, which is a common situation for many data processors.
-
Professional Services with Legal Obligations
Imagine a situation where a company, X, hires an accounting firm, Y, to manage their accounts. Although Y is generally a data processor following X’s instructions, if Y discovers irregularities during the process, it may be required to report them. This legal obligation transforms Y into a data controller for the relevant personal data. Similarly, a law firm representing a client in litigation may become a data controller if it has to manage certain personal data.
-
Medical Practice
In health care, a hospital may need to transfer a patient to another facility (B) because of specialized treatment requirements. Although B initially processes patient data based on A’s instructions, B becomes a data controller by accepting the transfer, responsible for managing and using the patient data for its own treatment purposes.
-
Implications and Compliance.
The GDPR sets clear guidelines for the roles of data controllers and data processors. Organizations should be aware that becoming a data controller brings additional responsibilities and obligations. Failure to comply with these obligations may result in fines and penalties.
-
Understanding of Data Controllers and Data Processors
Data Controllers: Key Decision Makers.
- Determine the purpose and method of data processing.
- Responsible for GDPR compliance and data protection principles.
- Pay data protection fees and appoint a data protection officer if applicable.
Data Processors: acting on behalf of Data Controllers
- Process data according to the instructions of the data controller.
- Implement appropriate measures to ensure GDPR compliance.
- Do not have the same level of GDPR compliance responsibilities as data controllers.
- Determining Your Role: Controller or Processor?
Data controllers
- Deciding on the collection and processing of personal data.
- Determine the purpose and type of data collected.
- Have commercial advantage in data processing.
- Responsible for GDPR compliance and data protection principles.
Data Processors
- Processing data on behalf of someone else.
- Received data and instructions from a third party.
- Implement data processing decisions as part of a contract.
- Not interested in the overall purpose or outcome of processing.
Shared Responsibilities: Shared Responsibilities.
- Joint controllers have shared objectives and agree on the purposes of data processing.
- Equally responsible for security breaches, with fines distributed accordingly.
Sub-Processors: Expansion of Responsibilities.
- Data processors must obtain prior written consent to outsource data processing to a third party (sub-processor).
- The sub-processor remains fully liable for performance to the data controller.
-
Sample cases
Example 1: General practice
The general practice manages the purpose and method of data processing in a computerized reporting system.
Example 2: Accountant for a Company
An accountant is a data controller when acting in accordance with professional obligations, not just client instructions.
Conclusion
Navigating the GDPR landscape requires a thorough understanding of the roles of data controllers and data processors. As illustrated by several scenarios, there are situations where data processors naturally transition into data controllers, which brings additional responsibilities. Organizations must remain vigilant, ensure compliance with GDPR guidelines and seek legal advice when necessary to avoid potential breaches and consequences.