Chapter 12: Controllers and Processors – EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide

CHAPTER 12: CONTROLLERS AND PROCESSORS

The roles of data controller and data processor are central to the GDPR and it is crucial that you understand these roles. The basic definitions were introduced earlier in this manual, but the detailed requirements around the roles need to be thoroughly understood.

Data controllers

The data controller is the responsible party for ensuring that personal data is processed in accordance with the Regulation. Article 4 of the GDPR provides the standard definition for a controller:

 

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.194

The controller is the entity that determines the purposes of processing activities. This includes determining which data will be collected, who to collect data from, whether there is a justification for not notifying the data subjects or seeking their consent, how long to retain the data, and so on.

It is also the data controller’s duty to ensure that any third-party processors abide by the rules, in accordance with the Regulation’s statement that “the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”195.

The controller will usually be the “public-facing” entities to which data subjects supply their information. For instance, a hospital might have an online form for entering health information; even if the online form is provided by a third party, the hospital (which determines what the data is processed for) will be the data controller. If the form is managed by a third party that has some autonomy over the design of the form and the categories of data that it collects, then that third party could become a joint controller.

It is the controller’s duty to protect personal data by “implement[ing] appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the GDPR]”196. These measures might also be called ‘controls’, and should be applied in response to calculated risks, be documented clearly, and be monitored and checked for effectiveness (see Chapter 6 for more information).

Implementing appropriate controls is a part of the data controller’s commitment to establishing data protection by design and by default. Establishing the most secure ways of processing the personal data must be done “both at the time of the determination of the means for processing and at the time of the processing itself”197.

DPIAs are a key part of data protection by design and by default (see Chapter 5). Responsibility for this falls to the data controller, and should not be foisted onto a data processor. However, the controller should consult the processors that may be affected in order to ensure that the DPIA is thorough, that the resulting plans can be implemented, and that the measures are and continue to be effective.

Joint controllers

It is possible for two or more controllers to jointly determine the purposes and means of processing. If your organisation needs to establish itself as a joint controller in partnership with another organisation, you will need to ensure that the “respective responsibilities for compliance with the [Regulation]” are established before performing any processing or collection of personal data.

Data processors

Data processors are those bodies contracted by the controller to perform some function on the personal data. The Regulation’s definition of a processor is as follows:

 

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.198

The processes must fall within the parameters provided by the data controller in accordance with the Regulation. Contracts between controllers and processors have a number of specific requirements, which are listed in Article 28, and the specific terms used in these contracts may, at some point, be dictated by either the Commission or your supervisory authority.

The controller does not have to define every single element of how the data is processed, and will often rely on the processor’s assurance that processing will be done securely. As such, the processor might still be responsible for determining some of the following elements:

  • The IT systems or other methods used to collect personal data.
  • How the data is stored.
  • The security surrounding the personal data.
  • How the personal data is transferred from one organisation to another.
  • How personal data about a specific individual is retrieved.
  • Methods for ensuring a retention schedule is adhered to.
  • How data is deleted or disposed of.

Processors may be free to design all of these for a number of reasons. For instance, if an organisation contracts a marketing agency to do some research, the organisation might determine the purpose of the personal data processing (e.g. to establish a measure of the organisation’s reputation) but defer to the marketing agency’s expertise on how best to achieve this end. The marketing agency must manage the personal data securely and in accordance with the GDPR. In this instance, it’s likely that the marketing agency will be a joint controller.

Processors are restricted from engaging another processor “without prior specific or general written authorisation of the controller”199. This ensures that the controller maintains oversight of the chain of custody of personal data, and so they can be assured of the security measures in place at each stage.

Controllers that are processors

In many cases, the data controller and the data processor will be the same entity. Given the extremely broad definition of processing, which includes the collection and disposal of personal data, it would be extremely rare for a controller to take no part in data processing itself.

Controllers and processors outside the EU

As described in the section on territorial scope in Chapter 1, controllers and processors based outside the EU are not exempt from the Regulation. Any organisation providing services into the EU needs to comply or face tough penalties200.

In order to ensure that the whole supply chain involved in processing personal data can be held accountable within Europe, the Regulation requires all such organisations to have a designated representative within the Union. There are two exemptions, which apply to:

 

(a)  processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b)  a public authority or body.201

In exemption (a), it’s important to note that the organisation’s processing has to meet all of those conditions.

Any organisation that doesn’t meet these conditions for exemption (in other words, the majority of organisations) will need to identify a representative somewhere within the European Union. The only stipulation as to the Member State in which the representative has to be based is that it should be “where the data subjects are and whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored”202. Many organisations will thus have a range of countries to choose from.

The representative’s job is to operate as the local liaison with the supervisory authority. The supervisory authority has no access to the organisation itself, so many of their interactions will be via the representative.

Because the representative can be held to some account for the controller or processor’s failures to meet the requirements of the Regulation, it is in their interests to ensure that they only represent organisations that have genuinely committed to complying with the law. Having a representative, however, will not absolve a controller or processor from liability.

If you need a representative in the EU, you must ensure that you communicate this in writing to the relevant supervisory authority in the Member State where the representative is established.

Records of processing

Organisations must retain records to prove their compliance should the supervisory authority request evidence. Organisations involved in processing data typically produce a large number of records from processing and establishing compliance with the Regulation, by way of fair processing notices, retention policies, evidence of consent, DPIA reports, and so on, all of which can be used as evidence of compliance. In many instances, you may need a combination of records to demonstrate your compliance. A processing policy, for example, is a single record, but evidence that it is being correctly applied will generate additional records, any of which could be requested by the supervisory authority in the event of an audit.

Supervisory authorities across Europe have defined processes for auditing organisations, and in many cases these processes have been published to ensure that audits can be completed quickly and with minimal disruption. The UK’s ICO, for instance, specifies the evidence it requests ahead of audits, and this should form the basis of any set of records that you use to demonstrate compliance:

 

[Evidence] may include data protection policy documents; operational guidance or manuals for staff processing personal data; data protection training modules; risk registers; information asset registers; information governance structures and similar.203

You can assume that any measures you have put in place to secure personal data – both those measures explicitly mandated by the Regulation and those that you apply out of a sense of good practice – should be documented and should be presentable as records. This includes documentation of your privacy compliance framework, risk assessments, controls, and so on. The sorts of records you might need to be able to present to the supervisory authority could include:

  • data protection or information security policy;
  • retention and disposal policies;
  • records of destruction of information assets (including personal data);
  • service-level and non-disclosure agreements with suppliers/processors;
  • fair processing notice and/or privacy policy;
  • risk management documentation (risk treatment plans, Statements of Applicability, DPIA reports, etc.);
  • monitoring and measurement of controls to manage risks;
  • training and awareness records (records of participation, test scores, etc.);
  • internal audit reports;
  • continual improvement logs;
  • incident management policies, procedures and logs.

The Regulation also requires many data controllers and processors to maintain a specific record of their processing activities. For controllers, this includes processing carried out by third-party data processors; for processors, it should be a record of processing activities carried out on behalf of a data controller. If your organisation is based outside the EU, your representative must also have a copy of the same record204.

Organisations that employ fewer than 250 people are not required to retain an explicit record of their processing activities, although organisations will not be able to claim the exemption if the processing is likely to pose a risk to the rights and freedoms of data subjects, if the processing is not occasional, or the processing involves special categories of data or data relating to criminal convictions and offences205.

Controllers and processors have different requirements for these records, which are given in Table 1206.

Table 1: Different record requirements for data controllers vs processors

Data controller’s records

Data processor’s records

Name and contact details of the controller, joint controller and/or controller’s representative and DPO.

Name and contact details of the processor(s) and of each controller that the processor works on behalf of, and the controller’s or processor’s representative and DPO.

Purposes of the processing.

Categories of processing carried out on behalf of each controller.

Description of the categories of data subjects and categories of personal data.

Details of any transfers of personal data to a third country or international organisation, including their identity and documentation of appropriate safeguards.

Categories of recipients to whom the data is disclosed, including recipients outside the EU.

A general description of the technical and organisation security measures.

Details of any transfers of personal data to a third country or international organisation, including their identity and documentation of appropriate safeguards.

 

Time limits for erasure of the different categories of personal data.

 

A general description of the technical and organisational security measures.

 

Records must be written and kept in a format that can be shared with the supervisory authority. The Regulation specifically permits keeping the records “in electronic form”207, so it should be a simple matter to ensure they are kept up to date and under strict version control.

Demonstrating compliance

Although records will demonstrate to your supervisory authority your claim that processing activities are in compliance with the Regulation, records will not show that these activities are actually conducted in accordance with the law. Without submitting to an audit, there’s no real way to provide conclusive evidence that you are compliant and, due to limited time and resources, supervisory authorities are unlikely to want to subject every organisation to regular audits.

An organisation can, however, partially demonstrate compliance by “adherence to an approved code of conduct […] or an approved certification mechanism”208. These codes of conduct and certification mechanisms can be selected, developed or “encouraged” by the Regulation’s defined authorities (Member States, supervisory authorities, the Board or Commission) in order to provide a standardised and formal system of assuring the security of personal data.

The Regulation also allows “associations and other bodies representing categories of controllers or processors [to] prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation”209. This means that industry bodies can work together to ensure that codes of conduct reflect the realities of business within that industry. This should enable the industry to assert best practice more generally and raise the standards of business across the board.

Because codes of conduct can be established by associations of controllers and processors, it’s entirely possible that you will have some say in the codes of conduct that will apply to your organisation. All codes of conduct still need to be approved by the supervisory authority, so it’s not carte blanche to avoid meeting the Regulation’s conditions. Furthermore, the supervisory authority will be charged with monitoring the efficacy of any codes of conduct210, so whatever model is chosen will need to stand up to ongoing scrutiny.

Standards and established frameworks built on best practice and validated by external audit are likely to be accepted as forms of certification or codes of conduct across the majority of the EU. ISO 27001, in particular, should be considered a safe bet for assurance of information security in most jurisdictions. If no approved code of conduct has been established, and there is no formally recognised certification mechanism to prove compliance with the GDPR, ISO 27001 and similar frameworks and management systems provide a sensible starting point.

________________________

194 GDPR, Article 4, Clause 7.

195 GDPR, Article 28, Clause 1.

196 GDPR, Article 24, Clause 1.

197 GDPR, Article 25, Clause 1.

198 GDPR, Article 5, Clause 8.

199 GDPR, Article 28, Clause 2.

200 GDPR, Article 3.

201 GDPR, Article 27, Clause 2.

202 GDPR, Article 27, Clause 3.

203 Auditing data protection: a guide to ICO data protection audits, https://ico.org.uk/media/for-organisations/documents/2787/guide-to-data-protection-audits.pdf.

204 GDPR, Article 30.

205 GDPR, Article 30, Clause 5.

206 GDPR, Article 30, Clauses 1 and 2.

207 GDPR, Article 30, Clause 3.

208 GDPR, Article 32, Clause 3.

209 GDPR, Article 40, Clause 2.

210 GDPR, Article 41, Clause 1.