- Mihaela Cracea
- Jan 5, 2024
- 7 min read
Although from the definitions given by the GDPR it seems that we understand quite well what a data controller or a data processor means, in practice, although 5 years since the entry into force of the GDPR have passed, assigning one or the other of these qualities to an entity that processes personal data is not an easy task. Thus, the actual circumstances in which the personal data are processed, the roles of the participants to the processing, the independence or, on the contrary, the decision-making dependence, are all factors which have to be analysed in order to establish the quality of an entity, either as an independent data controller, a joint controller or a data processor.
Independent Data Controller is the entity that determines (i) the purpose and (ii) the means of personal data processing.
But what exactly do these concepts mean?
The purpose of processing is nothing else than "the reason, the final objective for which that processing is necessary", respectively, “what the legal entity in question seeks to obtain from processing data in a certain situation”. Therefore, by analysing the purpose, it will also be possible to determine the entity to which that purpose directly serves. If the purpose clearly serves a particular entity, then that entity is most likely also the data controller. Simply put, the data controller is the entity with which the purpose has the closest ties.
Some examples:
an employer will process the data of its employees for the purposes of the employment relationships and for the performance of the obligations arising from the employment contract;
a travel agency will process customer data in order to fulfil contractual obligations regarding the provision of tourism services;
a company that sells clothing or any other type of consumer goods will process the data of the participants to the promotional campaigns it runs for the purpose of organizing these campaigns, designating the winners and awarding the prizes;
a medical service provider will process medical data from patients in order to provide the medical services requested by them;
a personnel recruitment company will process the personal data of candidates for the purpose of providing recruitment services.
As can be seen from the examples above, most of the time, the quality of data controller is dictated by the close relationship between the company → the services/products it offers and → its clients (i.e. natural persons whose personal data are processed, referred to by the GDPR as "data subjects").
Means of processing represent the way, the method, the process by which that goal can be achieved.
These means must be viewed from two perspectives, in relation to their importance and impact on data processing, the second perspective having a close connection with the concept of data processor which we will analyze below.
Essential means of processing whose nature is rather of a legal importance, regarding the categories of personal data processed, the persons to whom the data are disclosed, the period for which the data are processed for a specific purpose.
Non-essential means of processing which are more of a logistical nature, mainly related to the actual way of implementing essential means. These are often varied and have an alternative character. Especially because the data controller can replace them with others without changing the purpose of the processing or the essential means, they are not of the essence of that processing.
Some examples:
the processing of payroll and salary data can be done by a data controller using the software program x, which the same data controller later changes to software program Y. Therefore, the purpose of the processing does not change, nor do the essential means of processing (the same data, for the same periods will be processed, etc.), changing only the non-essential logistic mean which is the software program.
the data controller can organize a promotional campaign to which several participants can sign up. The method of collecting data from participants can be done either by email correspondence, or through social networks, or through a platform dedicated to the respective campaign. So, these means of data processing (data collection is a type of data processing, a notion that will be clarified in a future article) are alternative options that the data controller can use without affecting either the purpose of the processing or the essential means of this processing.
Joint controllers are in fact data controllers, as analysed above, which have a common purpose of processing. This means that, jointly, two or more data controllers (independent data controllers in other circumstances), with regard to a specific project, have a common interest and consequently, they establish together, both the purpose and the means of processing. To be joint controllers, it is not absolutely necessary that each of the joint data controllers processes the data collected in an absolute identity, for the same periods of time etc., but rather to pursue the same objective for the achievement of which to use the same (even in different proportions) means of processing.
Some examples:
a cosmetics company and another spa & wellness services company want to jointly promote themselves, in the sense that they are starting a contest-type promotional campaign in which several people can sign up, with the winners receiving a package of cosmetic products as a gift and a spa voucher. Through the campaign regulations, the two entities establish the common purpose, as well as the means of processing, i.e. what types of data they will collect, for what period they will store them, to whom they will give access to the data, but also how they will do all this concretely (through what platforms will run the campaign, in which database they will collect and store the data, etc.)
a company that offers recruitment services is requested by a company to identify a person to occupy position x. The recruitment company has a portfolio of people looking for a job (potential candidates), but it will identify, in the market, other people who meet the requirements of that position. In a first stage, recruitment involves a verification of the CVs of potential candidates, from the portfolio of the recruiting company or identified later, and the first interviews, only by the recruiting company, during which the recruiting company will act as an independent data controller. But, in a next step, 3 of the shortlisted candidates will have meetings and will also need to be known by the client. From this moment, until the completion of the recruitment process, the recruitment company and the client can be considered as joint data controllers as they have a common goal (recruitment of the best candidate) and the means by which they achieve the goal are jointly determined (the client and the company of recruitment participates in meetings with candidates, exchanges impressions, information about his experience, his expectations in the position report for which the recruitment process is taking place, etc.)
Data Processor is the entity that processes data on behalf of the independent data controller or of the joint data controllers. The data processor does not pursue its own goal in relation to the data subjects whose data are processed, but only in relation to the data controller/s, by providing the data controller/s its supporting services in its/their effort/s to achieving its/their own goals. It is true that, in practice, the data processor has his own contribution to achieving the purpose of the processing, especially by using its own non-essential means for that purpose or proposed by it. However, given the fact that these means used by it are non-essential, the data processor does not take the decision neither with regard to the purpose, nor with regard to what personal data must be processed.
The data processor may advise the data controller, but it will not take a decision in the absence of the approval of the data controller, even if that approval has a general nature and it is not specific to a particular case. So, in the end, it is still the decision of the data controller in establishing the rights and powers of the data processor with respect to data processing, the limits of such powers, establishing the mandate of the data processor within which it can exercise its role of proxy (these are actually the "instructions" of the data controller to the data processor).
Some examples:
an employer uses a payroll company to perform all its duties towards its employees. The payroll service provider owns its own software (non-essential means) to provide the services to the employer. However, in this relationship, the payroll company will never act as data controller because it does not determine the purpose and the essential means of processing (it will not determine the salaries of the employees, nor their days off, the annual leaves, the value of the allowance for overtime, nor whether it pays a bonus to the employee or not). The payroll company will always be a data processor in relation to the services it offers.
a company which runs a promotional campaign hires an advertising agency to manage the campaign. The advertising agency may have the freedom to choose the (non-essential) means of processing the participants’ data (e.g. on which social networks to run the campaign), but running the campaign, the targeted audience, the period of time when the campaign would be run, the nature of the prizes to be awarded, etc. will be chosen by the beneficiary of the company which acts as data controller and not by the advertising agency.
HINT! As a general rule (without excluding exceptions and which must be analyzed on a case-by-case basis), when one aims to determine whether a legal entity has the capacity of data controller or data processor, they may analyze whether that legal entity services, by their nature, are addressed merely or in the same degree to legal entities and to individuals or only to one of these categories. If they are, rather, designed to be provided to legal entities, and not (or in a small degree) to individuals, the likelihood that such legal entity acting as a data processor is very high. On the contrary, if the services of an entity are, by their nature, oferred mainly to individuals or, in a similar degree to natural persons and legal entities, the likelihood that the third party is a data controller is very high.
Some examples:
services addressed, by their nature, mainly to legal entities = their providers act mainly as data processors: health & safety services, payroll, accounting, IT maintenance, cloud services, advertising agencies, call centre services;
services addressed, by their nature, mainly to natural persons or equally to natural and legal persons = act mainly as data controller: medical service providers, travel agencies, legal advisors, public notaries, insurance companies.
