Two of the most important roles in EU data protection law are those of the “data processor” and the “data controller”. Understanding these concepts and their interactions is essential to applying the GDPR. The controller/processor relationship largely boils down to an allocation of responsibility. Under the GDPR, data controllers have the primary responsibility of treating the personal data entrusted to them in conformance with the law (see Application of the GDPR for more information on Personal Data). 

Data Controller

The primary component necessary to meet the controller designation is that the natural or legal person makes a specific determination regarding “the purposes and means” of data processing. In evaluating whether a party determines the purposes and means of processing, the level of influence they have over the processing activities is critical. Specifically, does the actor determine the ‘how’ and the ‘why’ of data processing? If a party makes primary decisions about data, such as use and access requirements and length of storage, among other core control elements, they are most likely acting as a data controller.

In the HBP, the SPs will generally be “data controller” for the data collected and processed in their research. For instance, if an SP collects and processes human data, they will be considered data controller for that data and will be responsible for complying with the GDPR. Even when the project primarily evaluates “account related data” such as names and contact information, the SP will be responsible for meeting data protection requirements (e.g. accountability, documentation, deletion). When SPs introduce data into HBP platforms, such as the MIP or the NIP, they are responsible for making certain the data is compliant with the GDPR.

Joint Data Controller

If the purpose and means of processing is determined by various entities working in concert, they may be considered joint controllers where responsibility is shared. Joint controllers have some flexibility in allocation of obligations and responsibilities, as long a full compliance is obtained.

Data Processor

To qualify as a processor, two conditions must be met. First, the party must be a separate legal entity from the controller. Second, the processor must process data “only on documented instructions from the controller”. Being deemed a data processor has several advantages. Principal among them is the apportionment of liability. As long as the processor processes personal data under the instruction of the controller, it has reduced liability because most of the responsibility resides with the controller.  The classic example of a processor is an infrastructure or storage provider. The controller gives specific instructions on how data is stored and under what conditions. In some cases, the data is encrypted before being sent to the infrastructure provider, thus leaving the infrastructure provider with little influence over how the data is processed.

Prior to the GDPR, the controller/processor relationship was wholly contractual. Processor liability was also limited to the terms of the contract. Under the GDPR, processors now have direct statutory liability and are required to provide certain technical or organizational measures including keeping records of processing activities, reporting data breaches to controllers, among others. DPAs can now impose administrative fines on processors directly on processors in addition to other penalties for violating the GDPR, albeit in limited areas.

Contractual designations

An additional aspect of the “controller” and “processor” distinction is that it has been a relatively common practice to designate these roles in contract terms (ie providing that one party will always be deemed a processor). However, these terms are ineffective because they do not negate the requirements set out the GDPR. The GDPR places requirements on parties based on their actual roles or conduct in data processing operations and not simply on the labels they give themselves. Therefore, looking at what the parties actually do, rather than how they define their roles contractually, is dispositive when applying the GDPR. Ultimately, the “controller” or “processor” designation, and ultimately compliance responsibilities, will be based on conduct.

Additional Resources

Working Party 29 Opinion 1/2010 on the concepts of “controller” and “processor” WP 169 (2010)