Data Controllers and Third-Party Processors: Legal Obligations and Contractual Requirements

Data protection has become an integral part of the modern digital landscape. In the European Union (EU), the General Data Protection Regulation (GDPR) has set the global standard for how organisations handle personal data. At the heart of GDPR is the relationship between Data Controllers and Third-Party Processors. Understanding their respective roles, responsibilities, and obligations is crucial to ensuring compliance and safeguarding individual rights. This article explores the legal obligations and contractual requirements for both data controllers and third-party processors under GDPR, along with the broader implications for organisations.

Understanding the Roles: Data Controllers vs. Third-Party Processors

What is a Data Controller?

A data controller is the entity that determines the purposes and means of processing personal data. They are the decision-makers when it comes to how and why personal data is processed. Data controllers are usually companies, public authorities, or other bodies that collect personal information from individuals, such as customers, employees, or users.

For instance, an online retailer that collects customer details for the purpose of delivering goods would be classified as a data controller. In this role, the retailer determines how the data will be collected, stored, and used for further processing.

What is a Third-Party Processor?

On the other hand, a third-party processor is an entity that processes personal data on behalf of the data controller. The processor does not decide the purposes for which the data is processed but instead acts upon the instructions provided by the controller. Typically, processors include cloud service providers, payroll companies, or external marketing agencies.

An important distinction is that processors act strictly in accordance with the controller’s directives and do not make independent decisions regarding the data. This distinction is essential in defining the legal obligations that apply to each role under the GDPR framework.

Legal Obligations of Data Controllers

Transparency and Lawfulness

The primary responsibility of data controllers is to ensure that any processing of personal data is carried out in a lawful and transparent manner. According to Article 6 of GDPR, there are six lawful bases for processing personal data, including the necessity for performance of a contract, compliance with legal obligations, and the legitimate interests of the data controller, provided that these do not override the interests of the data subject.

Transparency is a core principle, and data controllers are obliged to inform data subjects about how their personal data will be used. This is typically achieved through a privacy notice or policy that clearly outlines the type of data collected, the purposes of collection, and the rights of the data subject.

Data Subject Rights

Controllers are responsible for upholding the rights of data subjects under GDPR. These rights include:

Right to Access: Data subjects can request a copy of their personal data.
Right to Rectification: Individuals have the right to correct inaccurate data.
Right to Erasure (Right to be Forgotten): Data subjects can request the deletion of their personal data under certain circumstances.
Right to Data Portability: Individuals can request that their data be transferred to another controller.
Right to Object: Data subjects can object to the processing of their data.

Data controllers must implement procedures to address these requests in a timely manner, usually within one month.

Accountability and Governance

Under GDPR, data controllers must implement appropriate technical and organisational measures to ensure that personal data is processed securely. This is a reflection of the accountability principle, which requires controllers to be able to demonstrate their compliance with the GDPR. Measures can include data protection impact assessments (DPIAs), appointing a data protection officer (DPO), and maintaining records of processing activities.

Failure to uphold these obligations can lead to significant penalties, including fines of up to 4% of annual global turnover or €20 million, whichever is higher.

Legal Obligations of Third-Party Processors

Processing on Behalf of the Controller

Processors are bound to act only under the instructions of the data controller. They cannot process personal data for their own purposes or outside the scope of the controller’s instructions. This means that any deviation from the controller’s directives would be a breach of GDPR, potentially resulting in significant penalties.

In practice, processors must ensure they follow the controller’s directions on how personal data should be handled, stored, and processed. This includes adhering to retention periods, security protocols, and specific procedures for deletion or transfer of data.

Security Measures

Processors must implement adequate security measures to protect the personal data they handle. This obligation aligns with Article 32 of GDPR, which requires both data controllers and processors to ensure a level of security appropriate to the risks involved. Security measures might include encryption, pseudonymisation, access controls, and regular security audits.

If a data breach occurs, the processor must notify the data controller without undue delay. However, the controller is ultimately responsible for informing the relevant supervisory authority and potentially the data subjects, depending on the severity of the breach.

Sub-Processing and Third Parties

A processor may not engage another processor (sub-processor) without prior written authorisation from the controller. This is a critical provision to prevent uncontrolled onward sharing of personal data. If authorised, the processor must ensure that the sub-processor complies with the same data protection obligations as the initial processor. This requirement typically extends to having a written contract between the processor and sub-processor that mirrors the terms set out in the original contract with the controller.

The Importance of Data Processing Agreements

What is a Data Processing Agreement?

A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a processor, outlining the responsibilities and liabilities of each party in relation to personal data processing. Article 28 of the GDPR mandates that a DPA must be in place whenever a controller engages a third-party processor to handle personal data on its behalf.

The DPA acts as a safeguard to ensure that both parties are aware of their obligations, particularly in relation to GDPR compliance. It serves as a record of accountability and helps to clarify the scope of processing activities, reducing the risk of mismanagement or data breaches.

Essential Clauses in a Data Processing Agreement

A compliant DPA must include certain essential clauses, as outlined by Article 28 of GDPR:

Purpose and Nature of Processing: The agreement must specify the purpose, duration, and nature of the processing activities, as well as the types of personal data involved.
Obligations of the Processor: The DPA should clearly outline the processor’s obligations, including acting only on the documented instructions of the controller, ensuring confidentiality, and implementing adequate security measures.
Sub-Processing: The agreement must include clauses that restrict the processor from engaging sub-processors without prior authorisation from the controller. Any sub-processor must also be subject to the same contractual terms as the primary processor.
Security Measures: The processor must agree to implement appropriate technical and organisational measures to protect the data, such as encryption, access control, and regular audits.
Data Subject Rights: The processor must assist the controller in upholding the rights of data subjects, including access, rectification, and erasure requests.
Return or Deletion of Data: Upon completion of the processing activities or termination of the contract, the processor must either return the personal data to the controller or delete it, as instructed.
Audits and Inspections: The processor must agree to allow the controller to audit and inspect its processing activities to ensure compliance with GDPR.
Liability and Indemnification: The DPA should include provisions for liability in case of data breaches or other incidents, as well as indemnification clauses to protect the controller.

Joint Controllers and Shared Responsibilities

In some cases, two or more parties may jointly determine the purposes and means of processing personal data. In such instances, the parties are considered joint controllers under GDPR. Joint controllers must define their respective responsibilities for compliance, particularly regarding the rights of data subjects, in a transparent manner.

Joint controllers are required to set out their roles in a joint controller agreement, which must clearly allocate responsibilities between the parties. Both joint controllers remain accountable to supervisory authorities, and data subjects may exercise their rights against any of the joint controllers, regardless of which entity holds primary responsibility.

Cross-Border Data Transfers and Processors

One of the key challenges for data controllers and processors is managing international data transfers. Under GDPR, personal data cannot be transferred to a third country outside the European Economic Area (EEA) unless adequate safeguards are in place.

These safeguards might include:

Adequacy Decisions: The European Commission may determine that a third country provides an adequate level of data protection, allowing transfers without further authorisation.
Standard Contractual Clauses (SCCs): These are pre-approved contractual terms that impose data protection obligations on both the exporter and importer of personal data.
Binding Corporate Rules (BCRs): These are internal rules used by multinational organisations to transfer personal data within their group, provided they have been approved by a supervisory authority.

Processors are bound by these transfer restrictions as well and must ensure that any transfer of personal data outside the EEA is lawful under GDPR. Controllers and processors alike are responsible for ensuring that appropriate mechanisms are in place before transferring data internationally.

Penalties for Non-Compliance

The GDPR imposes severe penalties for breaches of its provisions. For data controllers and processors alike, fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. These fines can be imposed for various violations, including failure to obtain valid consent, insufficient security measures, failure to uphold data subject rights, or unlawful data transfers.

In addition to financial penalties, organisations may suffer reputational damage, loss of customer trust, and potential legal action from affected data subjects. Therefore, compliance with GDPR is not just a legal obligation but also a matter of safeguarding business interests.

The Evolving Data Protection Landscape

While GDPR sets the foundation for data protection within the EU, the global regulatory environment is rapidly evolving. Many countries have introduced or are in the process of enacting GDPR-inspired legislation, including the California Consumer Privacy Act (CCPA) in the United States and the Brazilian General Data Protection Law (LGPD).

In the UK, the Data Protection Act 2018 incorporates GDPR provisions into domestic law following Brexit, with some amendments to align with UK-specific requirements. The UK’s departure from the EU means that UK organisations may also need to comply with GDPR if they offer goods or services to EU citizens or monitor their behaviour.

As the data protection landscape continues to evolve, organisations must remain vigilant in adapting their data protection practices to meet both current and future regulatory requirements.

Conclusion

The roles of data controllers and third-party processors are integral to the responsible and lawful processing of personal data under GDPR. Both parties bear distinct but complementary legal obligations aimed at protecting the rights of individuals and ensuring that personal data is handled securely.

For controllers, transparency, accountability, and governance are key responsibilities. They must uphold the rights of data subjects and ensure that processors comply with GDPR through data processing agreements. Processors, meanwhile, must act strictly on the controller’s instructions, implement security measures, and ensure that any sub-processors or international data transfers are compliant with GDPR.

Failure to meet these obligations can result in severe financial and reputational consequences. Therefore, establishing robust contractual frameworks, implementing security protocols, and staying abreast of regulatory developments are essential for ensuring compliance in today’s data-driven world.