NEW: AI Compliance solution.

Learn more
Login
Book a demo
  • By Emil Galletta Rene, assistant attorney

Data Processor, Data Controller and Joint Data Controller: Here's Everything You Need to Know About GDPR Roles

Are you a data controller? 

 

Then it’s important that you understand the data protection roles of you and your supplier:

 

For example, your supplier can be either a data processor or an independent data controller, but it could also be that your supplier and your organization have a joint data controllership.

 

Regardless, your GDPR roles have an impact on which data processing agreement you need to have. For example, data processing agreements, agreements on joint controllership, etc.

 

So read on as I take you through the different ‘GDPR hats’ that your supplier and your organization can wear.

Data controller versus data processor

If your organization is the data controller, this means that you decide what happens to the personal data and how it can be used.

 

In other words, your organization ‘owns’ the purpose and legal basis for processing.

 

However, there may be cases where you disclose personal data to another organization, such as a supplier, to place orders or enter into consulting agreements.

 

Here, the supplier may become responsible for the personal data they receive. But in situations where the supplier processes the data on your behalf, the supplier acts as a data processor.

 

This could be because you pay them to store the data on their servers or if they are providing an HR system to keep track of information about your organization’s employees.

 

In these situations where you’re not the only processor, you need a setup that ensures you’re still in charge of the processing and that the personal data is properly looked after.

 

This means that you should have a data processing agreement to instruct the data processor – your supplier – on what to do with the personal data.

Independent data controller

In the distribution of roles where your organization is the data controller and your supplier is the data processor, your supplier ‘borrows’ the legal basis for processing and purpose from you as the data controller.

 

However, this is not the case if your supplier is an independent data controller. Here, your supplier has its own legal basis for processing and purpose and is therefore also responsible for GDPR compliance.

 

You can get an overview of the ‘leeway’ your supplier has when they are either a data processor or an independent data controller here:

How to find out if your supplier is an independent data controller or data processor

We’ve listed five scenarios that indicate that your supplier is a data processor.

 

If they don’t apply to your organization, your supplier will typically be an independent data controller. However, please note that it’s not a requirement that you must be able to say yes to all the statements before your supplier is a data processor:

  1. The supplier performs a task that your organization could, in principle, have performed itself.
  2. The supplier only processes the data on your behalf.
  3. The agreement between you and the supplier contains a direct instruction on the processing of personal data (as opposed to an agreement that is only aimed at the provision of another service).
  4. You can require the return or deletion of the data from the supplier if you no longer want the supplier to process the data.
  5. You control that the supplier processes the data as agreed.

Joint data controllership

It can also happen that your organization is part of a joint data controllership with your supplier.

 

A classic example is if you have a company account on Facebook.

 

An organization and a supplier are joint controllers when the parties jointly decide how and why they process data.

 

For example, when an organization collaborates with a marketing supplier on a campaign where the parties jointly decide how they collect and use customer data.

It’s tricky to say which GDPR roles that are typically put together, as it depends on the type of business you have.


However, we see that many suppliers are data processors.


Therefore, the data processing agreement is a necessary document in your supplier management.

 

You can create one via ComplyCloud, for example – feel free to reach out to our in-house attorneys to hear more about it.

Make your data processing agreement with ComplyCloud

Want to take good care of your personal data with a data processing agreement?

Yes, please

Compliance as it should be: simplified transparent automated

Want to know more or have a chat?

Book a demo
Contact us

SOLUTIONS

Data protection

Information security

NEW: AI compliance

ADDITIONAL PRODUCTS AND SERVICES

Managed services

Whistleblower software

ComplyHero E-learning

PLATFORM

Why ComplyCloud

NEW: ComplyCloud AI

FEATURES

Mapping and Records

Compliance document generator

Risk management

Vendor data management & Audits

Task management and collaboration

USE CASES

GDPR

NIS2

ISAE 3000

ISO 27001

The AI Act

TIA

Customize your own framework

PRICING

Plans and pricing

RESOURCES

Guides and reports

Webinars and events

Blog

Customer stories

Newsletter

ABOUT

About

Team

Career

Partner program

Contact

Data protection and privacy policy

© 2023 ComplyCloud. All rights reserved

Booking

To book a class, become a member, or rent our studio, please complete this short form. We’ll get back to you as soon as we can.