Watch our webinar! “Tricky sickness issues”

GDPR: Are you a processor or a controller?

Publication date: 12 November 2018
Since the GDPR has entered into force, companies have been breaching the new privacy legislation on a large scale. This is mainly caused by ignorance. Companies are often confused about the terms controller and processor when processing personal data. This may lead to incorrect fulfilment of the obligations arising from the mandatory processing agreement.

persoonsgegevens - ubo

On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force. This European privacy regulation includes rules for (automatic) processing of personal data. By now, several months have passed and it turns out that companies unintendedly breach the new legislation often and on a large scale. In particular, it is unclear when one qualifies as a “processor” of personal data and when as a “controller”. This is crucial when it comes to introducing a Privacy Statement and concluding the required processing agreements. So how are the roles defined exactly?

General Data Protection Regulation (GDPR)

The new European privacy legislation is intended to protect the privacy of EU citizens. The GDPR applies to all companies and institutions holding and processing personal data of EU citizens both within and outside the EU.

The GDPR requires organisations to make clear in advance which personal data they will be processing, for which purposes, who the personal data might have to be shared with, and how long personal data will be stored. This can be done by means of a Privacy Statement on the website of the organisation.

Who is a controller?

The controller is the organisation who, alone or jointly with others, will establish the purpose for and means of personal data processing. This person decides “why” and “how” personal data will be processed.

Under the GDPR, the controller is accountable; this means the organisation must be able to demonstrate that it complies with the GDPR rules. Part of this could be the aforementioned Privacy Statement on the company website. As almost every company processes personal data – even if it’s just the data of their own personnel – you will soon qualify as a controller.

Who is a processor?

The processor is the party engaged by the controller to process personal data. In this situation, the controller defines ”what” has to be done and “how” it has to be done. It is important that the person who processes the data is not under the direct authority of the controller. An employee of the organisation itself will not be considered as a processor under the GDPR. Usually, the processor will be a party outside of the enterprise. Here are a few (easy) examples:

  • An administrative office engaged to process salary payments.
  • A cloud service provider offering IT solutions.

Under the GDPR the processor has several new obligations. Permission must be asked for hiring another processor (a so-called “sub-processor), data leaks must be reported and processing lists must be made.

Difficult cases

Sometimes it is rather difficult to say whether you deal with a “processor”’. A key factor is that there must be assessed how much scope a service provider has to determine what it does. As a processor you don’t have any control over the data processing. The processor may only act under the responsibility of the controller and upon its instructions. When the processor takes decisions by itself about the purposes and means of the processing it will become responsible for the (new) processing of data. This means, just the fact that you will get an assignment from a controller is not sufficient to qualify as a “processor”.

Some examples:

  • A cloud service provider provides a fitness-app for companies and for this purpose processes the personal data of members. The cloud service provider will qualify as a controller as it determines which kind of personal data will be processed and how they are used.
  • A cloud service provider offers data storage only. The cloud service provider will qualify as a processor as it will process the personal data on behalf of and upon instruction of the controller.

The decisive factor is thus: How much scope does the service provider have to independently determine the purposes and means to perform its task(s)?

Controller and processor

Organisations can be both processor and controller. The aforementioned administrative office which processes the personal data of others will also be the controller of the personal data of its own employees.

Processing agreement

Under the GDPR, the processor has been given several new independent obligations. The most important ones – which create a lot of confusion – must be included in the processing agreement. The purpose of the processing agreement is to lay down which data processing will be carried out by a processor on behalf of a controller.

Both controller and processor can be held accountable for the absence of the agreement. This means, both are required to conclude a processing agreement subject to a fine.

Content of processing agreement

A processing agreement mainly contains the obligations of a processor, such as:

  • Personal data are to be processed solely on the basis of written instructions from the controller.
  • Ensuring that employees processing personal data comply with confidentiality.
  • Taking suitable technical and organisational measures for the protection of the processing and, where possible, assisting the controller in doing so.
  • Requesting permission for hiring another processor (“sub-processor”).
  • Answering requests regarding the rights of data subjects under the law.
  • Deleting or returning of personal data, or deleting of existing copies upon completion of processing services.
  • Making available all information to the controller during inspections or to demonstrate the controller fulfils its obligation to use best efforts.

In addition, the following has to be included in a processing agreement:

  • the subject
  • the duration of processing
  • the nature and purposes of processing
  • the type of personal data
  • the categories of data subjects (persons whose data are processed)
  • the rights and obligations of the processor and controller.

Difficult cases

In practice, it is often unclear to companies who is a “processor” and who is a “controller”. As a result, in agreements the roles are often reversed and the person who places an order will be qualified as “processor”. As these persons have different responsibilities towards each other it is crucial to accurately determine whether you are a processor or a controller.

Fines in the event of a breach

By now, the GDPR has been in force for several months. Under the GDPR, the controller and processor are required to comply with the stipulations of the regulation. If companies do not (yet) comply with the new legislation, they could be fined by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP). The penalty can be up to 20 million euros or 4% to the global annual turnover if that amount is higher.

Our advice

  • Make sure to always conclude a processing agreement if you have third parties process personal data.
  • Get legal advice if you are not sure whether you are a processor or controller.

More information

Would you like to know whether your company is “GDPR proof”? Would you like Russell Advocaten to draft a processing agreement or check your existing agreements? Please contact us:

    Share on social media

    • IT and ICT
    • Employment law and dismissal

    Is your staff management ready for the GDPR?

    23 May 2018

    At the end of the week, on 25 May 2018, the General Data Protection Regulation (GDPR) comes into force. This does not just have consequences for your website or online shop but also for your staff management. Is it ready for the GDPR?

    read on
    • IT and ICT

    Privacy: New European Data Protection Regulation

    28 May 2015

    In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.

    read on
    • Franchise, distribution and agency
    • Contracts

    Beware of vague wording in franchise agreements

    24 June 2021

    It is important to use clear and unambiguous language in agreements. This has once again been demonstrated by a recent judgement of the Supreme Court. Because of ambiguities in franchise agreements, franchisees of Albert Heijn may have lost millions.

    read on
    • Expats
    • Employment law and dismissal

    17 June 2021: Employment Webinar “Tricky sickness issues”

    17 June 2021

    If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!

    read on
    • Fashion and luxury
    • Litigation

    The advantages of arbitration

    19 May 2021

    Proceedings do not always have to be in court. There are other ways to resolve legal disputes. An important and often also appealing alternative is arbitration. In particular if you are doing business internationally. What are the advantages of arbitration?

    read on
    • Expats
    • Administrative law and the environment

    The Netherlands: Gateway to Europe

    3 May 2021

    The Netherlands likes to present itself as “the gateway to Europe.” And not without reason: excellent travel connections (Schiphol Amsterdam Airport and Rotterdam Seaport) and a highly educated population speaking several languages.

    read on
    • Art
    • Employment law and dismissal

    Russell Advocaten recommended by The Legal 500 2021

    20 April 2021

    Russell Advocaten has for the 17th consecutive year in a row been included in The Legal 500. We are pleased with the recognition for the quality of our legal services by experts and clients. Please read what they say about us:

    read on
    • Retail
    • Real estate and rent

    Tenant and landlord must share pain of lockdown

    30 March 2021

    When is a tenant entitled to rent reduction? How are the consequences of the coronavirus crisis shared between landlord and tenant?

    read on