Processor and Controller Obligations Under GDPR: A Cheat-Sheet

In continuing our blog series on the upcoming General Data Protection Regulation (GDPR), we’re going to spend a few minutes describing the different obligations the GDPR puts on data controllers and data processors, then leave you with a cheat-sheet with some quick action points to help you identify what tasks you, specifically, may need to ensure you have in place for compliance.

But first, some definitions.

The GDPR defines a data controller in Article 4(6) as:

“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

Whereas a data processor (Article 4(7)) is:

“the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

To give a more concrete example: if you’re an online retailer of widgets, and Jane Doe signs up for your mailing list hoping to learn more about your widgets (or maybe to lurk around until you have a sale), you’ll likely collect her email address—and maybe other contact information—when she signs up. Congratulations! You’ve just become a controller of Jane Doe’s personal data. She’s agreed to receive marketing messages from you, and you as the data controller can determine when and how to send those emails.

Now say you don’t actually send your own marketing emails, maybe you hire an email service provider (ESP) to help you craft your content, schedule the emails, and track and report on delivery. The ESP wouldn’t have rights to do whatever they wanted with Jane’s data, they’d only be entitled to help you draft your campaigns, send your emails, etc., at your request. The ESP, in this case, is the data processor.

Down the road, you decide to do a co-branded marketing effort with close Partner A of yours (which in this case is okay, because when Jane signed up, you got her consent to share her data with Partner A for this purpose). Through the negotiation process, you’ve decided to use Partner A’s ESP rather than yours to send the campaign. So you send your subscriber list (including Jane’s data) to your partner, who uploads it into their ESP. The emails get sent.

By virtue of sharing Jane’s data with Partner A for joint marketing activities, you’ve made Partner A a joint controller of Jane’s data. Partner A will continue to use Jane’s data outside the scope of your relationship with Jane. Partner A’s ESP is still a data processor and will have to adhere to both your and Partner A’s requirements, but you’ve also just introduced some complexities to your relationship with Jane that the GDPR will require you to keep track of. 

Under the GDPR, as owners of their data, data subjects are granted rights, such as: (Note that this is not a complete list.)

• Article 15 (right to access): Jane could write to you and ask for a copy of the personal data you’ve collected from her. You, as the data controller, would be required to comply with this request within 30 days of receipt of her request;
• Article 16 (right to rectification): if Jane finds the data you have on her to be inaccurate or incomplete, she could ask you to update it (like change her email address, or change the spelling of her name in your database);
• Article 17 (right to erasure): Jane could ask you to delete her data altogether. Maybe she’s withdrawing her consent to receive future messages from you, or maybe she thinks the campaigns you’re targeting at her are heading in the wrong direction, and she wants to start from scratch;
• Article 18 (right to restriction of processing): Maybe you’ve started tracking Jane’s opens and clicks (behavior based tracking), but Jane doesn’t think she consented to allow you to do that (According to the GDPR, behavior-based tracking will require consent. You can’t just assume you can do it). Jane can ask you to stop tracking her opens and clicks until you two sort out what she actually consented to;
• Article 20 (right to data portability): In some cases, Jane has the right to ask you to zip up her data and transfer it over to one of your competitors. (Yes! Really. This is intended to help Jane move her data—for example—from one mobile phone provider to another, or to move her social media presence easily from one app to another. If you are processing her data through “the performance of a contract” or “based upon consent”, this provision could apply to you.

If Jane decides to exercise her rights and asks to have you delete her data, in the single controller-processor paradigm, it’s fairly straightforward. You delete her data from your system and ask your processor (your ESP) to delete it from theirs as well.

However, in the joint controller model, per Article 17(2), you’ll need to not only delete it from your and your processor’s infrastructure, but you’ll also need to:

“take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure”

In other words, you’ll need to keep very careful records of where you sent Jane’s data and initiate data deletion requests on Jane’s behalf to any other joint-controllers who may have her data. Those joint-controllers will then also need to reach out to any processors they use, and delete Jane’s data from those systems as well.

And that’s just the start of your obligations as data processors and controllers of Jane’s information. See below for a quick list of what will be required under the GDPR, along with where you can find more details in the GDPR.

Data Security
Controller obligations:
Implement appropriate technical and organizational measures to protect the security of data.

• Encryption, pseudonymization of data if appropriate
• Ability to ensure confidentiality, integrity, and resilience of data
• Process for regularly testing, assessing and evaluating security
• Document your efforts.

Processor obligations:
Implement appropriate technical and organizational measures to protect the security of data.

• Encryption, pseudonymization of data if appropriate
• Ability to ensure confidentiality, integrity, and resilience of data
• Process for regularly testing, assessing and evaluating security
• Document your efforts.

GDPR Article:
Art. 32 Security of Processing

Breach Notification
Controller obligations:

• Inform supervisory authority within 72 hours of the breach if high risk likely to data subjects
• Data subject notice, if appropriate

Processor obligations:

• Inform controller without undue delay upon learning of a breach

GDPR Articles:
Art. 33 Notification of a data breach
Art. 34 Communication of a data breach to data subject

Principles of Data Processing
Controller obligations:

• Ensure data is processed lawfully and in a transparent manner to the data subject
• Ensure data collected and processed for specific purposes, and not in a manner incompatible with original purposes.
• Ensure collected data is accurate and up-to-date
• Ensure you are able to demonstrate compliance

GDPR Articles:
Art. 5 Principles relating to processing of personal data
Art. 6 Lawfulness of processing

Privacy Notice
Controller obligations:

• Must be available to the data subject.
• Describe what data will be collected and for what purposes.
• Detail any recipients who will receive the data, including if will be transferred outside EEA, and how data will be protected with onward transfer.
• If any legitimate interests exist in collecting and/or processing the data.
• Describe data retention and/or storage periods, or the criteria used to determine retention periods.
• Describe data subject rights, and how a data subject can exercise his/her rights.
• Details around any uses of automated decision-making.

GDPR Articles:
Art. 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
Art. 13 Information to be provided where personal data are collected from data subject
Art. 14 Information to be provided where personal data have not been obtained from data subject

Contractual Requirements with Processor
Controller obligations:

• Only employ processors who can meet GDPR regulations.
• Only employ processors which can appropriately protect data subject data.
• Describe subject matter, duration, and nature of processing activity.
• Describe the nature and purpose of processing.
• Describe the types of personal data being processed.
• Describe categories of data subjects being processed.

Processor obligations:

• Only process the data on documented instructions from the controller
• Ensure all individuals authorized to process the data have committed to confidentiality agreements
• Assist controller in handling data subject access rights requests
• Assist controller with obligations around security and requests from supervisory authorities.
• Be available and able to assist controller with compliance obligations
• Delete or return all data upon controller request or requirement
• Outline any data transfers outside EEA and describe safeguards which will protect the data
• Contribute to audits conducted by the controller or other required authority
• Ensure any engagement of sub-processors meet same obligations required by the controller.
• Only engage sub-processors upon approval of controller.

GDPR Articles:
Art. 24 Responsibilities of Controller
Art. 28 Processor
Art. 29 Processing under authority of controller or processor

Adopt Data Protection Practices
Controller obligations:

• Be able to demonstrate principles of data minimization, and data protection by design and/or default are used, if appropriate
• Conduct privacy impact assessments on any processing activities that are likely to pose risk to the data subject

GDPR Articles:
Art. 5 Principles relating to processing of personal data
Art. 25 Data Protection by Design and Default
Art. 35 Data Protection impact assessment

Retain Records of Processing Activities
Controller obligations:

• Name/contact info of data controller and the DPO, or EU representative
• Document the categories of data subjects, categories of personal data, and recipients of the data
• Document lawful basis for any data transfers outside EEA and describe safeguards which will protect the data
• Data retention timeframes
• Document lawful basis for data processing activities

Processor obligations:

• Name/contact info of data controller and the DPO
• Categories of processing carried out for the controller

GDPR Article:
Art. 30 Records of Processing Activities

This is a lot to take in, and may seem like a lot of work. But in the long run, it will keep you and your partners in compliance with European law, and keep your data subjects’ rights protected. Looking for more GDPR insight? You can find more information in the GDPR category on our blog and in our on-demand webinar: The Path to GDPR.