Publication date: 12 November 2018
Since the GDPR has entered into force, companies have been breaching the new privacy legislation on a large scale. This is mainly caused by ignorance. Companies are often confused about the terms controller and processor when processing personal data. This may lead to incorrect fulfilment of the obligations arising from the mandatory processing agreement.
On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force. This European privacy regulation includes rules for (automatic) processing of personal data. By now, several months have passed and it turns out that companies unintendedly breach the new legislation often and on a large scale. In particular, it is unclear when one qualifies as a “processor” of personal data and when as a “controller”. This is crucial when it comes to introducing a Privacy Statement and concluding the required processing agreements. So how are the roles defined exactly?
The new European privacy legislation is intended to protect the privacy of EU citizens. The GDPR applies to all companies and institutions holding and processing personal data of EU citizens both within and outside the EU.
The GDPR requires organisations to make clear in advance which personal data they will be processing, for which purposes, who the personal data might have to be shared with, and how long personal data will be stored. This can be done by means of a Privacy Statement on the website of the organisation.
The controller is the organisation who, alone or jointly with others, will establish the purpose for and means of personal data processing. This person decides “why” and “how” personal data will be processed.
Under the GDPR, the controller is accountable; this means the organisation must be able to demonstrate that it complies with the GDPR rules. Part of this could be the aforementioned Privacy Statement on the company website. As almost every company processes personal data – even if it’s just the data of their own personnel – you will soon qualify as a controller.
The processor is the party engaged by the controller to process personal data. In this situation, the controller defines ”what” has to be done and “how” it has to be done. It is important that the person who processes the data is not under the direct authority of the controller. An employee of the organisation itself will not be considered as a processor under the GDPR. Usually, the processor will be a party outside of the enterprise. Here are a few (easy) examples:
Under the GDPR the processor has several new obligations. Permission must be asked for hiring another processor (a so-called “sub-processor), data leaks must be reported and processing lists must be made.
Sometimes it is rather difficult to say whether you deal with a “processor”’. A key factor is that there must be assessed how much scope a service provider has to determine what it does. As a processor you don’t have any control over the data processing. The processor may only act under the responsibility of the controller and upon its instructions. When the processor takes decisions by itself about the purposes and means of the processing it will become responsible for the (new) processing of data. This means, just the fact that you will get an assignment from a controller is not sufficient to qualify as a “processor”.
The decisive factor is thus: How much scope does the service provider have to independently determine the purposes and means to perform its task(s)?
Organisations can be both processor and controller. The aforementioned administrative office which processes the personal data of others will also be the controller of the personal data of its own employees.
Under the GDPR, the processor has been given several new independent obligations. The most important ones – which create a lot of confusion – must be included in the processing agreement. The purpose of the processing agreement is to lay down which data processing will be carried out by a processor on behalf of a controller.
Both controller and processor can be held accountable for the absence of the agreement. This means, both are required to conclude a processing agreement subject to a fine.
A processing agreement mainly contains the obligations of a processor, such as:
In addition, the following has to be included in a processing agreement:
In practice, it is often unclear to companies who is a “processor” and who is a “controller”. As a result, in agreements the roles are often reversed and the person who places an order will be qualified as “processor”. As these persons have different responsibilities towards each other it is crucial to accurately determine whether you are a processor or a controller.
By now, the GDPR has been in force for several months. Under the GDPR, the controller and processor are required to comply with the stipulations of the regulation. If companies do not (yet) comply with the new legislation, they could be fined by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP). The penalty can be up to 20 million euros or 4% to the global annual turnover if that amount is higher.
Would you like to know whether your company is “GDPR proof”? Would you like Russell Advocaten to draft a processing agreement or check your existing agreements? Please contact us:
In this newsletter Russell Advocaten will inform you, in short, about the most important changes to be expected in the European data protection regulations. More detailed information on this topic can be found in our previous newsletters.read on
It is important to use clear and unambiguous language in agreements. This has once again been demonstrated by a recent judgement of the Supreme Court. Because of ambiguities in franchise agreements, franchisees of Albert Heijn may have lost millions.read on
If your employee reports sick, this may raise many difficult questions. What are your reintegration obligations during the sick leave period? What are you allowed to record about your sick employee with regard to the privacy legislation? We answered these and other questions during a webinar. Watch the video!read on
Proceedings do not always have to be in court. There are other ways to resolve legal disputes. An important and often also appealing alternative is arbitration. In particular if you are doing business internationally. What are the advantages of arbitration?read on
Russell Advocaten has for the 17th consecutive year in a row been included in The Legal 500. We are pleased with the recognition for the quality of our legal services by experts and clients. Please read what they say about us:read on