Data Subjects, Data Controllers and Data Processors are the three main terms used in various data protection laws and regulations to describe the main actors in the value chain, although there are variations on the theme which we shall discuss later in this paper. Articles 24 – 34 GDPR lay out the roles, responsibilities and many of the activities that need to be carried out by each party.
A Data Subject is an identified or identifiable natural person, i.e. you and me. The GDPR has a complete (!!) definition of what an identified or identifiable natural person is: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The Data Controller is the entity that determines the purpose of the data processing activity. The Data Controller could be a company, public body, not-for-profit organisation or even an individual person. The Data Controller is responsible for, and must be able to demonstrate, compliance with the GDPR along the length of the value chain; including Joint Data Controllers, Data Processors, and Data Sub-Processors – see below. Obvious examples are retailers, schools, GP surgeries and lawyers; in fact any organisation that employs or talks to people.
Joint Data Controller
Where two or more Data Controllers determine the purposes and means of the processing activity they are defined as Joint Data Controllers. It is critical that each party defines its roles and responsibilities, e.g. who will deal with requests from Data Subjects, who will be the lead party in liaising with the Supervisory Authorities and Regulators, who will be in charge of reporting and handling a personal data breach, and so on. All of this is in addition to normal daily business!
An example of a Joint Controller would be where one company provides a ‘white label’ product to another company. Here the branding is with company A, and therefore the customer would be regarded as theirs, but the processing is done by company B. Company B holds the data, does the data processing and should there be a problem, would be its cause. An example would be Ecomnova who provided Debenhams with various e-commerce products including flowers, hampers and wines. Unfortunately in 2017 Ecomnova was hacked and 26,000 Debenhams customers’ payment details, names and addresses were accessed or stolen during the attack.
The Data Processor could be a company, public body, not-for-profit organisation or an individual person. The Data Processor is the entity that processes personal data on behalf of the Data Controller, but only on their written instructions, and the Data Processor must return or delete the personal data after the processing has been finished. Common examples would be Cloud service providers, outsourced payroll providers, marketing companies and advertising agencies.
Sometimes the Data Processor doesn’t have the capacity, skills or experience to complete all of the processing activities. Therefore they will want to appoint a specialist sub-processor. This is perfectly allowable as long as the Data Controller gives written permission (Article 28, GDPR).
Points to Note and Remember:
- The Data Controller is accountable for compliance along the length of the value chain. This includes making sure that every Processor and Sub-Processors is compliant through its technical and organisational measures and can demonstrate compliance. It also may require the Data Controller to audit the technical and organisations measures deployed by the Data Processor. This makes the purchasing decision about which processor to use based more on standards and quality of operations rather than on price.
- The contracts between the Data Controllers and Data Processors and Sub-Data Processors must reflect Point 1 above and have additional confidentiality clauses.
- Part of ensuring compliance is aligning each party’s risk appetite, as they may differ. The default setting is to take the party that has the lowest risk appetite as the standard. This is achieved by conducting a risk assessment along the value chain, identifying the key risks and applying the relevant technical and organisational measures to mitigate the risk to the lowest residual risk possible. It should be remembered that if the residual risk could still have a high probability of damage or distress to the Data Subject then prior consultation with the Supervisory Authority is required.
- Knowing exactly where the personal data is sent and / or backed-up is important. For example if a sub-processor’s head office is in the USA and it backs-up the data to the servers in the USA, the Data Controller must tell the Data Subject in the Data Privacy Notice.
- All parties within the value chain are jointly and severally liable for damage and distress caused to the Data Subject. This means that the Data Subject can sue every party and receive compensation from each one.
- Each party needs to play its part when Data Subjects exercise one of their seven Rights. For example if a Data Subject wants their personal data deleted, then it must be deleted by every Data Controller, Processor and Sub-Processor.
- Data Processors and Sub-Processors may only undertake processing activities with written permission of the Data Controller. Once the processing activity has been completed the personal data must be either returned to the Data Controller or securely destroyed.
- Data Processors must not keep the personal data, unless it is required to by another law.
When considering processing of personal data, it very important that each party understands where it fits in the value chain, its roles and responsibilities as well as its vulnerabilities and liabilities. The Data Controller needs to be acutely aware that it is responsible for GDPR compliance throughout the value chain. Contracts can assist in making sure that each party plays its part responsibly, however the risk assessments and audits conducted prior to any processing taking place is vital in adhering to the principle of Data Protection by Design and Default (Article 25 GDPR).