Did you know that your role can change from processor to controller and back again? This is a crucial concept to understand under the General Data Protection Regulation (GDPR). In a chain of processing activities, a controller and processor’s role may change depending on the activity. A processor may be a controller for a certain processing activity within a chain of activities depending on the circumstances. For that activity, the controller might switch to being the processor or both parties might simultaneously be controllers. When both parties are controllers they are not necessarily joint controllers. They are only considered joint controllers if they jointly determine the purpose and means of the processing.

Why this matters:

  • Controllers. If you’re a controller, you’re responsible for complying with all GDPR controller obligations, including data security, data subject access requests, and more. You don’t want to mistakenly sign a Data Processing Agreement with another controller, placing all the responsibility on you as their processor, if you are in fact a controller yourself. A Data Processing Agreement is for processors, not other controllers.
  • Processors. If you’re a processor who starts processing data for your own purposes, independent of the controller who shared the data with you originally, you might become a controller yourself. This will include all the associated obligations and liabilities.
  • Controllers and processors. As a controller, you need to know if your processor’s role changes. If it does, it may be because they’re processing beyond your instructions. This could put you in breach of GDPR.

Concepts of controller and processor – what are they?

The GDPR mentions three distinct roles that an organisation can play concerning the personal data it processes. Your organisation might be a controller, processor, or joint controller for a particular processing activity. In many cases, these roles are distinct and easy to determine. But the European Data Protection Board’s (EDPB) publication of the “guidelines on the concepts of controller and processor in the GDPR” suggests otherwise. 

Defining controller, processor, joint controllers, and co-independent or sole controllers

  • Controller. The controller determines the purpose and means of processing. They decide why and how the data is processed.
  • Processor. The processor processes data on behalf of the controller, following the controller’s instructions. They determine the manner of processing, not the purpose.
  • Joint controllers. Joint controllers jointly determine the purpose and means of processing. They share responsibility for compliance.
  • Co-independent controllers. When two parties share personal data, but each party has its own unique purpose for processing the personal data, those parties are most likely co-independent controllers. One party may conduct processing on behalf of the other, and for that processing activity, they are a processor. But that party also processes personal data on its own behalf for its own purposes, and for that processing activity they are a controller.

The EDPB’s guidelines explore examples where an organisation might fulfil multiple roles within a relationship with another party. They might be a processor for some activities, a joint controller for others, or even a sole controller alongside the controller that originally shared the data.

The EDPB explains that, in a chain of processing activities, a party’s role might change concerning a specific activity. The following examples help demonstrate this.

Examples

Recruitement agency

Imagine a company (ABC Comp) approaches a recruitment agency (Recruiting Now – RN) to fill an open role at ABC Comp. RN find five candidates on LinkedIn and approaches them to apply for the role. In this instance, RN is ABC Comp’s processor as RN is operating under the instruction of ABC Comp. ABC Comp hires one of the five candidates that RN put forward. RN keeps the remaining four candidates files and begins searching for other clients that may be advertising similar roles. At that point, RN has started processing those four candidates’ personal data for its own purposes. RN is now a controller. RN will need to ensure it has a lawful ground for and purpose for processing those candidates personal data. RN may need to obtain those candidates consent to enable it to continue processing the personal data. The original purpose has changed and RN, as a controller in its own right, cannot continue to rely on ABC Comp’s lawful ground and purpose for processing.

Database accessed by or benefiting multiple clients

Imagine a company has a database of personal data which it has obtained from its clients or its client have specifically shared with it. Each client is a controller in respect of the personal data it has given to the company. The company is a processor when processing to the benefit of the client that shared the personal data. However, if the company processes the personal data it recevied from one client, for the benefit of another client, the company is now processing for its own purposes or the purposes of a third party and not the original controller. In this instance, the processor is either processing beyond the instructions of the original controller or the processor has become a controller themselves.

The recruitment agency example demonstrates how an organisation may have a database of candidates, which benefits multiple clients. This example is fairly clear and straightforward but it should prompt you to think about whether you have any databases that benefit several of your clients, or which your processors use that may benefit their other clients.

Successive independent controllers

The EDPB explains that you can also have successive independent controllers where various actors, having independent purposes and means, successively process the same personal data in a chain of operations. For example, a company transmitting employee data to tax authorities. The company and the tax authority are two separate data controllers. Each party independently determines their purpose of processing.  Each party has a different purpose for processing which is why they are not joint controllers.

How do you determine your role?

Generally, asking who determines the purpose and means of processing by asking “why” and “how” you process personal data answers this question. Are you a processor or a controller? But there may be several purposes behind processing personal data for a certain activity. That is where things become a little more complicated.

The EDPB guidelines set out examples of how the roles may change between two parties during a chain of processing activities. If you are uncertain, you should conduct a data processing relationship assessment to determine your role in respect of your activities.

EDPB guidance on purpose and means

Questions related to the purpose of processing

The primary question relating to the purpose is, “why are you processing the data”? But if the answer to that is based on external factors, this may influence who the controller actually is.

  • Who decided that processing should take place for a particular purpose?
  • If the law requires the processing, to which party does the law apply?

There might be several purposes behind a single processing activity. Various parties may have determined those particular purposes.

Questions related to the means of processing

The primary question relating to the means is, “how are you processing the data”? The means are usually less important than the purpose and a processor may determine some of them. But guidelines introduce the concepts of essential means and non-essential means. The EDPB links the essential means to the purpose and scope of the processing. This is why the party determining them is likely a controller. The party answering these questions is establishing the essential means:

  1. Which data must the party process?
  2. How long must you process the data?
  3. Who must have access to the data?
  4. Whose data do you need to process? Which categories of data subjects?

The EDPB also highlights that you can link the concept of a controller either to a single processing activity or to a chain of activities. This may mean that the control a party exercises may extend to the entirety of the processing at hand but may also only apply to a particular stage in the processing.

If you are a processor with control over a particular stage in the processing, you might be acting as a controller. You need to be aware of these circumstances to ensure you comply with your controller obligations in respect of that stage appropriately.

Actions you can take