Outsourcing of certain business processes is standard for most companies these days, even for small and mid-size companies. Through outsourcing, business processes within a group of companies can be handled efficiently or access to an advanced IT infrastructure can be made possible. Outsourcing usually involves transferring personal data, such as employee data, customer data or supplier data. The outsourcing provider is a processor, the outsourcing customer is a controller. So far so good. But what if the provider uses the data for its own purposes too? And what if the customer is told what to do by the processor when processing the data? This article explains on which basis the individual roles of controller and processor can be determined taking into account the EU General Data Protection Regulation (GDPR).
Looking at the Regulation
Article 3 of the European Union General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR" or "Regulation") gives the Regulation extraterritorial scope. Accordingly, it applies (i) to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and (ii) to the processing of personal data of data subjects who are in the union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Consequently, the GDPR is also relevant for many companies outside of the Union e.g. in Switzerland.
First Step to Comply with the Regulation
The first step to complying with the Regulation is to define a natural or legal person's role under the Regulation; controller or processor, or in some cases, both. Only with a clear determination of the role, can an assessment of the rights and obligations for that particular legal or natural person be made.
The controller is the contact person of the data subjects and is responsible for ensuring their rights laid down in the Regulation are respected. An involvement of a third party for the processing does not change this. Rather, the controller has further obligations if it involves a third party.
For example, the controller must ensure that the processing by a processor is governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller as further stipulated in article 28 GDPR. Drafting of a GDPR compliant data processing agreement is not rocket science. Article 28 para 3 stipulates all duties and obligations that must be covered by a processing agreement.
Pursuant to the Regulation, the controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and the processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. These definitions are well understandable. The controller collects personal data for a specific purpose and passes it on to the processor for processing on its behalf for the same purpose. In practice, however, the allocation is not always that simple. For example, consider the following situations:
- A medical devices manufacturer sells its devices to an importer, which resells the devices to distributors and device user facilities such as hospitals. In some jurisdictions, the manufacturer, the importer, the distributor and the device user facilities each separately have a reporting obligation in case of malfunctioning devices. The obligation itself, the required information, in particular personal data, however, may vary. All repairs and warranty work are carried out by the manufacturer irrespective of the reporting obligations (complaint handling services).
- A financial service provider is distributing shares in collective investment schemes on behalf of a fund and is therefore collecting personal data of investors. The service provider is subject to certain reporting duties such as e.g. anti-money laundering laws.
- A bricks-and-mortar business wishes to set up a portal to enable internet users to register for a competiton. For this purpose it engages an external provider to run the registration process. The external provider dictates what data is to be provided, the terms on which it will be processed and for what purposes the data is to be used.
Determine the Role of Each Party
As mentioned above, article 4 (7) of the GDPR stipulates that the controller is the natural or legal person which determines the purposes and means of the processing of personal data. Accordingly, first you need to look at the purpose for which the personal data is collected and second to clarify who determines this purpose and the means of processing of personal data. Coming back to the examples, this means:
- Where (a) the medical devices manufacturer alone has a reporting obligation: the medical devices manufacturer acts as controller of the personal data required for the reporting obligation and as processor of further personal data for complaint handling services (assuming that the products are not sold directly by the manufacturer); and the importer, the distributor and the device user facility act as controller; and (b) the medical devices manufacturer and the importer, the distributor as well as the device user facility each have a reporting obligation: the manufacturer acts as processor for fulfillment of the importer's, the distributor's and the device user facility's reporting obligation and as controller for the fulfillment of its own reporting obligation; and the importer, the distributor and the device user facility act as controller.
- For the personal data required for the service provider's compliance with the reporting duties pursuant to financial market laws, the service provider is controller and (if the fund also requires such personal data as part of the provision of the services by the service provider) the fund is also controller. If the service provider is collecting further personal data that goes beyond the personal data required for its reporting obligations, for such data, the service provider is acting as processor and the fund as controller.
- For the data collected by the online portal, the bricks-and-mortar business operating the portal is controller. It outsources a part of the function of the portal to a service provider, but the service provider determines the purposes for which it may use the data, typically in general terms and conditions that cannot be amended. Both provider and customer are controllers. To the extent the service provider requires the customer to process the data in certain ways on its behalf, the customer is also a processor. This may be the case for many online-advertising an analytics provider.
As shown in this article, determination of the roles between two parties in connection with processing of personal data needs to be carefully analysed in each individual case.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.