Personal Data Controllers and Processors
The General Data Protection Regulation (GDPR) envisages serious sanctions for personal data breaches. However, rules are different, depending on the function of the person in the personal data processing, i.e. whether the person determines the purposes and means of this processing or simply processes them on behalf of another person. Therefore it is necessary to distinguish between the terms “controller” and “processor” of personal data and hence to highlight the differences in their responsibilities relating to the processing of personal data.
Within the meaning of the GDPR, the processing of personal data includes all processes of collection, recording and, generally, use of information relating to an identified or idenfiable natural person. For instance, the provision of cloud services in which the customer stores personal data within the allocated cloud space is a case of processing of personal data. In this particular case, the service provider does not normally use the personal data stored there for the purposes of providing the service but the provider could have access to them and, at the same time, has the obligation to ensure the security of the servers in which the data are located. It is also worth noting that personal data is not always easy to be categorized as such: names, identity card details and the like are clearly personal data but there are other categories of data which could relate to an identifiable natural person provided that they are combined with other data. Thus, for example, the data on the location of an automobile obtained together with the information on the owner or motorist could identify the current location of the person and his or her address or business relations. For this reason, whenever an assessment is to be made whether the data to be processed are personal or not, it must be made clear if any additional data that might not even be available at that point of time could enable the identification of a natural person.
In accordance with the definition given above, everybody should assess their role in the data processing and understand their duties and responsibilities in this respect before any operation involving personal data starts. The most important role and the greatest responsibility respectively are assigned to the controller of personal data, i.e. the person who determines the purposes and meaning of the personal data processing. On the other hand, the processor is the person who is assigned specific storage, transmission, sorting and other operations with personal data. The most salient characteristic of the processor of personal data is that it is not the person to determine the purposes of the processing or, in other words, the processor does not decide what will happen to the personal data. These purposes are established by the controller and the processor might be given some leeway in the choice of the means to achieve the purpose but the selected means are subject to the consent of the controller who has given the processing assignment. To go back to the example with the provision of cloud services, the customer is the controller as the customer has collected personal data for a purpose of his or her choice and assigned the service provider to store the data and to provide access to them under certain terms and conditions. In this case, the service provider is a controller of personal data as long as the service provider acts within the scope of the assignment. But the service provider could become a controller if, for instance, the service provider decides to use the data collected by the customers for his or her own purposes, e.g. to send advertising messages, etc.
There is a clear distinction between the roles of the controller and the processor in each operation of personal data processing, although it is typically the same person who acts as a controller in some instances and as a processor in others in the course of a single day and sometime even with regard to the same data. In the example with the cloud services, the service provider is a processor with regard to the data the storage of which is assigned to the service provider by the customer but the service provider is a controller with regard to the data of the customer (name, representatives, etc.) which the provider processes for the purposes of implementing the contract on the provision of cloud services.
Two important comments should be made in relation to the distinction between controllers and processors. Firstly, both natural and legal persons could act as controllers or processors. However, this does not mean that the employees of the controller are processors because the terms “controller” and “processor” imply a certain degree of independence and freedom in making decisions concerning the data processing. For example, it is the company using the data and not the CEO that is the controller. Yet, a natural person can also be a controller if that person is self-employed for the purposes for which the data are processed. The same logic applies to processors. A natural person providing a specific service on a free-lance basis can be a processor but the employees of a company providing the same service on its own account are not processors. Secondly, it is important to note the possibility for two or more persons to act jointly as administrators. This is a complicated situation in which the joint administrators make the decisions on the purposes and means of processing jointly. It is assumed that two or more persons are joint administrators where the processing cannot be done separately by each of them but it can be done only jointly.
Controllers of personal data are the persons who have the greatest number of responsibilities under the GDPR. They have to ensure the observance of the principles of lawfulness, transparency, accountability, etc.; they have the obligation to provide the relevant information to the persons whom the data refer to; they have to guarantee the rights to rectification of inaccurate information, to restrict or suspend the processing, etc. Controllers are responsible before the persons whose data are processed, including the responsibility for the actions of the processors selected for the performance of operations. Therefore controllers have the obligation to settle their relationships with processors on the basis of a contract or another binding legal act. The GDPR provides for a number of issues that have to be stipulated in the contract or the other binding legal act.
Processors have less responsibility because they do not determine the purposes and means of data processing. It is the controller who takes full responsibility for these matters. Still, processors have to ensure transparency of their operation, including the responsibility to implement appropriate technical and organizational data protection measures, the engagement of other processors and the opportunity for the controller to verify and authorize. Furthermore, processors are required to act only on documented instructions from the controller on when data is to be rectified or erased, whether certain processing operations should be suspended, etc. Another obligation of processors is to supervise their employees and to guarantee that they adhere to the personal data protection rules. Processors are also responsible before controllers for the discharge of the obligations under the contract or, in certain cases, directly before the data subjects.
This overview covers only the main duties of controllers and processors since these duties may vary largely due to the specificities of the processing operation and hence they cannot be analysed exhaustively here. Still, some general recommendations could be put forward in view of avoiding the most common issues which occur in reality. In the first place, it is obligatory to sign a contract on the allocation of responsibilities in the processing of personal data and this can be done also through general terms and conditions proposed by either the controller or the processor. Besides, it is always required to identify processors in a given operation correctly, including all persons who have even partial physical access to the relevant data. To use the same example with the cloud services, if the cloud service provider outsources the maintenance of the servers, the service provider has to notify the customer and to specify the persons who have physical access to the data carrier and who could, knowingly or unknowingly, cause their erasure. The processor, in his or her turn, will have to make it clear what security measures are applied and these measures are subject to approval by the controller. Otherwise, either party will be liable for data security breach.
Without prejudice to these provisions, both controllers and processors are liable for infringements of the Regulation before the competent national authorities under the GDPR. In Bulgaria the competent authority is the Commission for Personal Data Protection and judicial remedy could be sought directly, too.