Drafting, reviewing, or negotiating a data processing agreement (DPA) can be a daunting task. This is why we created the LEXR Bridge DPA Generator, a simple questionnaire that provides you with a trusted DPA template based on the EU Commission’s standard.
The aim of this series is to provide useful tips to understand your DPA, adjust it according to your company’s needs, and negotiate with your business partners. In this first article, we will examine how you can determine whether you are a controller or a processor.
The General Data Protection Regulation (GDPR) and the revised Swiss Federal Act on Data Protection (FADP) (in effect as of 2022) have outlined different roles and responsibilities for data controllers and data processors. Identifying which category you fall into prior to signing a DPA is crucial.
Who is a data controller?
A data controller is a business, organisation, natural person or authority which determines the purposes and means of the processing of personal data. Broadly speaking, a data controller is a person or company who has identified a reason to process personal data, and then decided how to go about doing this.
Here are some examples of companies acting as data controllers:
- Zalando collects delivery addresses from its customers in order to mail their products.
- Facebook collects profile data and uses it to target ads.
- A YouTuber collects email addresses from his fans to start a mailing list.
Data controllers have several responsibilities, including:
- Responding to data subjects’ requests.
- Concluding a data processing agreement with each data processor they appoint.
- Liability for damages caused by processing which infringes the GDPR.
Who is a data processor?
A data processor under the GDPR and revised FADP is a business, organization, natural person, or authority that processes personal data on behalf (and for the purposes of) the controller under the data processing agreement.
A data processor doesn’t have the primary interest in the end result of the data processing. A data processor may benefit from the processing of the personal data, e.g., receive a fee for it. But it is processing personal data because the controller has asked it to do so.
Here are some examples of companies that act primarily as data processors:
- MailChimp receives a list of email addresses and a brief from a customer. It sends a series of marketing emails based on its customer’s instructions.
- Hotjar collects IP addresses and tracks the behavior of users of a website. It presents the website’s owner with insights into how the website is used.
- Shopify receives customer data from a website controlled by a merchant. It provides a shopping cart and other e-commerce functions.
The main responsibility of a data processor is to abide by the data processing agreement with the data controller. The processor will not be able to change the purpose and the means by which the data is used, e.g., begin using the controller’s customer data for its own marketing purposes. Data processors are bound by the controller’s instructions. Accordingly, a processor is liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the controller’s lawful instructions.
How do you determine whether you are a controller or processor?
A company is not by its nature either a controller or a processor (or both). Instead, a company can be a controller for one activity and a processor for another. Therefore, you need to consider the personal data and the processing activity that is taking place, and consider who is determining the purposes and the manner of that specific processing.
The controller usually decides:
- What types of personal data to collect.
- The purpose or purposes the data are to be used for.
- Which individuals to collect data about.
- Whether to disclose the data and if so, to whom.
These are all decisions that can only be taken by the controller as part of its overall control of the data processing operation.
However, within the terms of the data processing agreement, a processor may decide:
- What IT systems or other methods to use to collect personal data.
- How to store personal data.
- The details of the security measures to protect the personal data.
How does this apply in practice?
The above test can be difficult to apply in the complexity of modern business relationships. The key is to determine each party’s degree of independence in determining how and in what manner the data is processed.
We hope that you now have a better understanding of the nature and responsibilities of data controllers and processors. If you have any questions, please do not hesitate to contact us.