Businesses going abroad for compliance： how to distinguish between data controllers and data processors

Example: A gym hires a local printing company to produce the special activity invitation letters for the event it is hosting. The gym provides the names and addresses of the members from the member database to the printing company, and the printing company uses this information to process the invitation letters and envelopes. Then the gym sends out the invitations.

The gym is the controller of the personal data processing related to invitations. The gym determines the purposes of processing personal data (sending individual activity invitations) and the methods of processing (using the address details of the data subject to merge personal data through email). The printing company is a processor that processes personal data solely on the instructions of the gym.

In addition, when a business jointly decides with one or more organizations on the 'reasons' and 'methods' for processing personal data, the business is a joint controller. The joint controllers must enter into an agreement, stipulating their respective obligations to comply with the GDPR rules. The main content of this agreement must be communicated to the individuals or data processors who are processing their data.

RegardingJoint data controllersArticle 26 of the GDPR provides a legal explanation for this:

1. When two or more data controllers jointly decide on the purposes and methods of processing, they are joint data controllers. The joint data controllers shall arrange their time in a transparent manner, determine their respective obligations to comply with the obligations stipulated by this Regulation, especially regarding the obligations of data controllers to provide information to data subjects in accordance with Articles 13 and 4 of this Regulation, except where the laws of the EU or EU Member States have already stipulated the respective obligations of data controllers. This arrangement may establish a contact point for the data subjects.
2. The arrangements provided for in Article 1 shall be adapted to reflect the respective responsibilities and relationships of the data subjects regarding the joint data. The data subjects should be able to obtain the essential content of the arrangement.
3. Irrespective of the provisions of Article 1, the data subject may exercise the rights under this Regulation against any data controller.

In practice, it is necessary to distinguish between data processors and joint controllers, as they have different scopes and sizes of responsibilities.

Case: A German academic institution named Wirtschaftsakademie Schleswig-Holstein GmbH operates a fan page on Facebook and collects user data through a feature called 'Facebook Insights' using browser caching. The purpose of data collection is to provide statistical information to the administrator of the fan page and publish targeted advertisements.

After the German Data Protection Authority found deficiencies in the data collection of the institution, it ordered the institution to stop collecting data and deactivate the fan page. The institution denied its legal liability for processing personal data on Facebook and protested against the order. It also denied providing instructions on data processing to Facebook and claimed that the German Data Protection Authority should take action directly against the data controller Facebook, and the academic institution is merely a user of Facebook.

The controversy of the case lies in determining whether the academic institution has the role of 'data controller' or whether this role only belongs to Facebook. On June 5, 2018, the European Court ruled that the administrator of the fan page must be considered as jointly responsible with Facebook for the processing of data as a data controller.

The court held that simply using Facebook does not make the academic institution responsible for the processing of personal data on Facebook. However, Facebook Insights allows the administrator of the fan page, i.e., the academic institution, to extract user cookies data from the page. That is: Facebook provides the administrator with statistics on user behavior based on the collected cookies information, including age, gender, social network, occupation, lifestyle, and geographical location, etc. Based on these data, the administrator can provide special offers or organize events for the appropriate audience. Therefore, in the view of the European Court, the administrator of the fan page must be considered as a data controller jointly responsible for the processing of data with Facebook.

What is a data processor?

A data processor is responsible for processing any data provided by the data controller. A third-party data processor does not own the data they process nor control it. This means that the data processor will not be able to change the purpose and method of data use. The responsibilities of the data processor to the data controller must be clearly specified in the contract or other legal act. For example, the contract must specify how personal data should be handled after the contract terminates.

Article 28 of the GDPR regulates data processors:

1. The processing carried out on behalf of the data controller, the data controller should only use data processors that provide sufficient guarantees and take appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and guarantees the protection of the rights of the data subjects.
2. Without prior specific or general written authorization from the data controller, the data processor cannot introduce another data processor. In the case of general written authorization, the data processor should notify the data controller of any planned changes or substitutions of other data processors, so that the data controller has the opportunity to refuse the change.

The relationship between both parties: The data controller can instruct the data processor on how to process data, including the retention period of data and the permissions for users to access data, or authorize the data processor to process data according to their best judgment and industry standard practices. The data processor is only allowed to process personal data based on documented instructions from the data controller, and without prior specific or general written authorization from the data controller, the data processor cannot communicate with another data processor to help fulfill a specific contract.

Responsibilities of the data controller

1. Determine the purposes and methods of processing: The data controller has the primary responsibility for determining the purposes and methods of collecting and processing personal data. They must clearly establish the legal basis for data processing and ensure that it is in line with the rights and expectations of the individuals or data subjects whose data is being processed. Data controllers must consider data privacy and protection principles and determine appropriate processing means and methods.
2. Obtain consent: In many cases, data controllers must obtain the valid consent of individuals before processing personal data. This involves providing clear and concise information about the purposes of processing, types of data involved, and any potential third-party recipients. Data controllers must ensure that consent is freely given, specific, informed, and easily withdrawable.
3. Ensure data security: The data controller is responsible for implementing appropriate security measures to protect the personal data they collect and process. This includes preventing unauthorized access, loss, destruction, alteration, or disclosure of personal data. Measures such as encryption, access control, and regular security assessments are crucial for maintaining data confidentiality, integrity, and availability.
4. Provide transparency and privacy statements: The data controller must provide individuals with transparent and easily accessible information about the organization's processing practices. Privacy statements or policies should outline the types of personal data collected, processing purposes, data retention periods, and any third parties involved. By providing clear information, data controllers enable data subjects to make informed decisions and exercise their privacy rights.
5. Promote the exercise of personal rights: The data controller must enable individuals to exercise their rights regarding personal data. This includes the rights to access, correct, delete, restrict processing, and object to processing. The data controller must establish appropriate procedures to handle privacy requests in a timely and effective manner, ensuring individuals can maintain their rights and maintain control over their data.
6. Conduct Data Protection Impact Assessment (DPIA): In cases where data processing may pose a high risk to personal rights and freedoms, the data controller must carry out DPIA. These assessments help identify and mitigate potential privacy risks by evaluating the necessity, proportionality, and impact of processing activities. DPIA allows data controllers to implement appropriate measures to protect personal data and comply with legal requirements.
7. Establishing data processing agreements: When data processors process personal data on behalf of others, the data controller must establish clear and comprehensive data processing agreements. These agreements outline the specific instructions, security obligations, and data protection requirements that data processors must comply with. By entering into these contracts, data controllers ensure that processors handle personal data in accordance with applicable laws and regulations.

Responsibilities of Data Processors

1. Processing data according to instructions: Data processors must process personal data in accordance with the instructions provided by the data controller. Unless legally required, they should not deviate from these instructions. Data processors should only collect, store, and use personal data to achieve specific purposes as defined by the data controller, and shall not use it for any other purposes without explicit authorization.

2. Ensuring data security and confidentiality: Data processors are responsible for implementing strong security measures to protect the personal data they process. This includes maintaining the confidentiality, integrity, and availability of the data, and preventing unauthorized access, data loss, or leakage. Appropriate security measures, such as encryption, access control, and regular security assessments, should be taken to protect data and prevent data breaches.

3. Assistance to data controller: Data processors have an obligation to assist the data controller in fulfilling its duties. This may involve supporting the data controller in respondingData SubjectRequest (DSR) to exercise data protection rights, such as accessing personal data or correcting inaccuracies. Data processors should also cooperate with data controllers to implement DPIA/PIA and comply with data protection regulations.

4. Subcontracting and data sharing: If data processors hire subcontractors or share personal data with third parties, they must ensure that these entities comply with the same data protection standards. Data processors should enter into appropriate contract agreements with these parties, outlining their data protection obligations and ensuring the processing of personal data in accordance with applicable laws and regulations.

5. Data breach notification: If a data breach occurs, data processors are responsible for immediately notifying the data controller. They should provide all necessary information to assist the data controller in fulfilling the obligations under data protection laws to notify affected individuals and regulatory authorities.

6. Data deletion and retention: Data processors must follow the instructions of the data controller regarding the retention and deletion of personal data. Once the processing purpose is completed, data processors should securely delete or anonymize personal data unless there is a legal obligation to retain such data. The retention period for personal data should not exceed the specified retention period defined by the data controller.

7. Adherence to data protection laws: Data processors must comply with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR) and other relevant privacy laws. They should keep abreast of the obligations stipulated by these laws and maintain internal policies and procedures that reflect the current best practices in data protection.