With personal data, are you a Processor or Controller?

Written by on January 11, 2016 in Guest Blog with 0 Comments

Traffic Policeman Stop Hand Signal (Front and back) Wooden figure (B)If you process data – and who doesn’t in our industry – you need to be sure you are doing it legally.

When providing services involving personal data, you will either play the role of Processor or Controller. This will be normally be stipulated in a contract, with the company you are providing services to. This contract will dictate how the data privacy laws perceive your role, based on the exact circumstances. These circumstances vary according to the agreement between the two parties, as well as the levels of control involved.

Some questions

Does your business take it for granted that you are the Processor in the contract? Is that the role you want to play, and is it the role your customer wants you to play? Careful consideration should be given to the structure of the relationship, the nature of data being processed and the processing itself.

There are a number of decisions issued by the European Commission which give examples of when companies are processor, controller, or both. For instance, decision 08/2010 gives some useful examples and there is some very useful guidance from the UK Commissioner’s Office.

Businesses need to ensure they have considered both what is in the contract and how the law regards them. The law, of course, is the overall arbitrator, but businesses often only get to know their responsibility when things go wrong, for example if there is a data breach.

As well as commercial liabilities, there is often a misconception that if you are a Processor you are not liable. But whether you are actually in the role of Processor or Controller dictates which Member State law, and which articles, apply to you.

In the case of Controllers, it would usually be the Member State’s Data Privacy laws where the Controller is established – and making decisions – that apply to most of the processing activities. However, if you are a Processor, you would need to adhere to, and be governed by, the data privacy laws in the place that the Controller is established (you are working on behalf of the Controller). There is one exception to this rule – the Member State’s Security provisions (article 17) of the main EU Data Privacy directive 95.46 of the Processors Member State of establishment that will apply.

An example

A UK Telecom Provider (the Controller), uses a company based in Germany to process some of their data (the Processor). The law applicable to the personal data is that defined in the UK Data Privacy laws, so although the Controller dictates which law applies, the Processor also needs to comply with these rules. The Processor must process the data in accordance with the UK data privacy rules, except for the security article 17 aspect, which must be that of the German data privacy authorities.

And there are some changes in the proposed General Data Protection Regulation (GDPR). Not only is there the introduction of a new definition, Joint Controller, where both parties in the relationships are may be deemed as Controllers under the law, but a Processor becomes more liable jointly in some circumstances under a data breach.

Current law does yet make Processors liable under EU law, where data is transferred outside the EU, or the Controller no longer exists, but the proposed GDPR makes Processors more accountable.

Tags: , ,

Linda French

About the Author

About the Author: Linda is an independent consultant, with 15 years experience in data privacy across the EU. Linda is an advocate for data privacy, with most of her experience in telecommunications and technology. Linda worked with Convergys as their Regulatory Affairs Consultant for over 10 years, responsible for the regulatory roadmap across Europe. Linda’s latests engagement have been with UL EHS Sustainability, and Asiainfo. The last 3 years have been spent with analysing the impact of the GDPR, and getting businesses ready for this new law. Linda, has a keen interest in international politics. .

Subscribe

If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

Top
%d bloggers like this: