General Data Protection Regulation
A case of responsibility
Since it became applicable in May 2018, the General Data Protection Regulation has raised a number of questions across the market, one of which addresses the challenge for organizations to identify whether they should be considered as a controller or a processor in the processing activities where a third-party stakeholder is involved. This question becomes even more complicated where the role of each involved party would vary from one processing activity to another.
In addition, while the EU regulation strictly frames the relationship between a controller and a processor, the means to define the relationship between controllers, joint or not, are less defined, leaving the decision on how to determine, to formalize and to transparently communicate on their respective responsibilities up to the parties involved.
The lack of extensive definition for specific relationships (e.g. consultants, external accountants, auditors, etc.) often leads to the common misconception that all service providers should be considered as processors.
This absence of a “one size fits all” approach for the identification and the formalization of the relationships between the parties that are involved in a common processing activity generates some confusion. As it is commonly observed, the nature of the processing is the main driver to determine whether an organization is a controller or a processor, making certain types of relationships specific to an industry.
If we take a step back, we find that the GDPR defines a controller (or joint controller) as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It also defines a processor as a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Further guidance is expected from the EDPB as the last Working Party 29’s opinion on the concept is dating back to 2010.
Furthermore, this concept of acting on behalf of another entity could lead to the perception that most responsibilities and obligations (and therefore consequences) fall upon the controller. While this may prove to be correct for certain aspects of the relationship (providing the necessary information to the data subjects, reporting to and cooperating with supervisory authorities, etc.), other topics are widely underestimated in terms of the involvement and obligations for the processor, among which:
- Acting on behalf of another entity means having to follow the instructions of this entity, including deleting personal data upon request and strictly processing personal data under the terms of the contract
- Being subject to audits at the request of the controller
- Having the obligation to help the controllers for which they perform processing activities to demonstrate their compliance with the regulation
This misconception in the understanding of one’s responsibilities is also prevalent when it comes to controllers where the concerned entities do not consider themselves as responsible for the processing of personal data in certain cases, wrongfully so.
Recently, the Court of Justice of the European Union ruled against two controllers that did not implement the appropriate measures to demonstrate their compliance with the regulation for two particular processing of personal data. In particular, the Court ruled that
- People and companies such as the German educational company called Wirtschaftsakademie Schleswig-Holstein1 that administer Facebook fan-pages for their own purpose are jointly responsible with Facebook for the data protection-related obligations of these pages. In other words, Facebook and the fan-page administrator are jointly responsible, to some extent, for any case of infringement in regards to privacy matters
- Jehovah’s Witnesses2 must obtain consent from people before they take down their personal details during door-to-door preaching in order to comply with EU data protection rules, as such religious activity is not covered by exemptions granted to personal activity. In particular, the Jehovah’s Witnesses are considered as joint controllers with its members for the processing of personal data carried out in the context of door-to-door preaching
Even if these cases are referring to the directive from 95/46 (replaced by the GDPR), the concept of Controller and Processor remain the same as under the EU regulation.
In such cases, roles and consequently responsibilities are not only determined by the terms of a contract, if there is any, but mainly by the facts related to the processing of personal data.
Ultimately, all involved parties will have to cooperate to demonstrate their compliance, including their accountability in regards to the protection of personal data, in order to guarantee the right to have one’s personal data protected, a Fundamental Right of the European Union.
As such, clarifying the responsibilities of each entity is the first mandatory step to achieving that goal, in particular when there is little to no difference in terms of impact for processors and controllers as both actors face fines and indemnities no matter where their respective responsibilities lie3.