Data Processor, Data Controller and Joint Data Controller: Here's Everything You Need to Know About GDPR Roles

Published on:
October 25, 2024
|
Reading time:
4 min.
WRITTEN BY
Emil Galletta Rene
Assistant attorney
TABLE OF CONTENTS

Want to know more about GDPR requirements?

Find everything you need in "The Little Guide to GDPR" - a straightforward breakdown of key obligations.

Are you a data controller?

Then it’s important that you understand the data protection roles of you and your supplier:

For example, your supplier can be either a data processor or an independent data controller, but it could also be that your supplier and your organization have a joint data controllership.

Regardless, your GDPR roles have an impact on which data processing agreement you need to have. For example, data processing agreements, agreements on joint controllership, etc.

So read on as I take you through the different ‘GDPR hats’ that your supplier and your organization can wear.

Data controller versus data processor

If your organization is the data controller, this means that you decide what happens to the personal data and how it can be used.

In other words, your organization ‘owns’ the purpose and legal basis for processing.

However, there may be cases where you disclose personal data to another organization, such as a supplier, to place orders or enter into consulting agreements.

Here, the supplier may become responsible for the personal data they receive. But in situations where the supplier processes the data on your behalf, the supplier acts as a data processor.

This could be because you pay them to store the data on their servers or if they are providing an HR system to keep track of information about your organization’s employees.

In these situations where you’re not the only processor, you need a setup that ensures you’re still in charge of the processing and that the personal data is properly looked after.

This means that you should have a data processing agreement to instruct the data processor – your supplier – on what to do with the personal data.

Independent data controller

In the distribution of roles where your organization is the data controller and your supplier is the data processor, your supplier ‘borrows’ the legal basis for processing and purpose from you as the data controller.

However, this is not the case if your supplier is an independent data controller. Here, your supplier has its own legal basis for processing and purpose and is therefore also responsible for GDPR compliance.

You can get an overview of the ‘leeway’ your supplier has when they are either a data processor or an independent data controller here:

How to find out if your supplier is an independent data controller or data processor

We’ve listed five scenarios that indicate that your supplier is a data processor.

If they don’t apply to your organization, your supplier will typically be an independent data controller. However, please note that it’s not a requirement that you must be able to say yes to all the statements before your supplier is a data processor:

  1. The supplier performs a task that your organization could, in principle, have performed itself.
  2. The supplier only processes the data on your behalf.
  3. The agreement between you and the supplier contains a direct instruction on the processing of personal data (as opposed to an agreement that is only aimed at the provision of another service).
  4. You can require the return or deletion of the data from the supplier if you no longer want the supplier to process the data.
  5. You control that the supplier processes the data as agreed.

Joint data controllership

It can also happen that your organization is part of a joint data controllership with your supplier.

A classic example is if you have a company account on Facebook.

An organization and a supplier are joint controllers when the parties jointly decide how and why they process data.

For example, when an organization collaborates with a marketing supplier on a campaign where the parties jointly decide how they collect and use customer data.

It’s tricky to say which GDPR roles that are typically put together, as it depends on the type of business you have.


However, we see that many suppliers are data processors.


Therefore, the data processing agreement is a necessary document in your supplier management.

You can create one via ComplyCloud, for example – feel free to reach out to our in-house attorneys to hear more about it.

Want to know more about GDPR requirements?

Find everything you need in "The Little Guide to GDPR" - a straightforward breakdown of key obligations.

Download the guide
Published:
October 25, 2024
Category:
GDPR