The EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, and fundamentally reshaped the way personal data is protected and handled. The GDPR is a complex piece of legislation with far-reaching implications to both EU businesses and businesses that have no physical or legal presence in the EU.
To what or to whom does the GDPR apply?
The simplified answer covering the large majority of situations is that it applies to: 1) an individual, a company or an organization that process the personal data of persons in the EU in connection with offering them goods or services, or that monitor the behavior of individuals within the EU; or, 2) the processing of personal data in the context of activities by an individual, a company or an organization established in the EU whether the processing takes place there or not.
The GDPR sets extremely stiff penalties for violating its provisions, making the next determination and overall compliance crucial to businesses that fall within its scope.
Controller or Processor?
The next important question when beginning GDPR compliance analysis is whether your business is a controller or a processor. Unfortunately, for purposes of GDPR compliance the concepts are not straightforward, or even mutually exclusive.
Depending on whether you qualify as a controller, processor, or both, the GDPR attaches specific obligations to guarantee that the personal data being processed is sufficiently protected. A good place to start in distinguishing those two roles is to look at the definitions of each under the GDPR.
Article 4 of the GDPR defines controllers and processors as:
- (7)‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- (8)‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
The next step is to delve into those definitions more deeply and try to ascertain exactly what the language means in the context of controller and processor.
Controller – Determining the purposes and means of processing
Three building blocks found in the definition help distinguish who is a controller under the GDPR:
- “the natural or legal person, public authority, agency or any other body”
- “which alone or jointly with others”
- “determines the purposes and means of the processing of personal data”.
Put most simply, the first two elements outline the person or organization, who either alone or with someone else, make the decisions about data processing. While there’s been no shortage of time and effort further analyzing the language in those first two elements, most of the confusion lies in the third part of the test: “determin[ing] the purposes and means of processing.”
Another way of looking at this is determining the “why” (the purpose) and the “how” (the means) of the data being processed.
This is the central and substantive issue in determining who should be designated as a controller; once you figure out who is making the decision as to why the processing is happening, you can then designate them as the controller. The “purpose” is defined as “an anticipated outcome that is intended or guides your planned actions,” but the pragmatic approach is to, again, ask why is the processing happening and who is making that decision? This decision is exclusively reserved for the controller and cannot be delegated.
The “means,” on the other hand, does not only refer to the technical ways of processing the personal data, but could also include questions of which data is and is not processed, which third parties have access to the personal data, and when the data should be deleted. Figuring out who is making the decision as to how the processing is happening may also point you to the controller, although that responsibility may be allocated from the controller to the processor in certain circumstances. In particular, many technical decisions can be delegated to a processor as explained below.
Processor – Acting on behalf of the controller
The most important element in understanding the definition of processor is that the processor acts “…on behalf of the controller…” During the processing activities the processor is called on to implement the instructions given by the controller and, as noted above, the purpose or the “why” of processing is always the decision of the controller.
However, it is possible that the technical and organizational decisions are delegated to or, in some situations, determined exclusively by the processor. That could mean the processor determining the type of software or hardware to use, for instance. In these cases, the means should represent a reasonable way of achieving the purpose(s) and the controller should be fully informed about the means to be used.
For those reasons outlined above, even though the processor might be the one that determines the means to some limited extent, the controller is the one that always determines the purpose of processing.
Obligations of a controller vs a processor
As the controller is the key decision maker with regards to personal data, most of the responsibilities for compliance with the GDPR fall on the controller’s shoulders. The “accountability” requirement is first laid out in Article 5(1) of the GDPR, listing six required principles underpinning the processing of personal data: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; and, integrity and confidentiality.
Article 5(2) states, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” This requirement not only places responsibility for compliance directly on the controller, but also requires the controller be able to demonstrate the same if asked to do so by regulatory authorities.
These are only the beginning of the obligations of controllers under the GDPR. Chapter 3 of the GDPR, for instance, which covers Articles 12-23, covers all the different data subject rights that controllers are responsible for and processors must assist in supporting. Of these, one of the most important is responding to data subject requests. Chapters 4 and 5 cover even more of the responsibility and liability of controllers, and the role processors play in ensuring controllers can meet those obligations.
Even with the lion’s share of responsibility placed on the controller, the GDPR also requires that both controller and processor need to implement technical and organizational measures so that the processing meets a cutting-edge standard of data protection and ensures the protection of the fundamental rights of the data subject. It is also worth noting that just like a controller, a processor may be subject to direct liability under the GDPR in certain circumstances.
The distinction between controller and processor and the obligations that attach to each under the GDPR are sometimes difficult, but always vital, determinations. Ensuring you meet those principles and standards of data protection is a necessary priority in protecting you or your business from potential liability under the GDPR.
To learn more about the GDPR, your obligations as a controller and processor, and VeraSafe’s GDPR compliance solutions, contact one of VeraSafe’s privacy experts today for a free GDPR consultation.