Shifting roles and responsibilities under the GDPR
This article was first published in the Norwegian Financial Daily (Finansavisen), on Monday 8 April.
The terms «data controller» and «data processor» are both defined in the GDPR. The data controller is the entity that determines the purposes and means of the processing, while the data processor only acts on instructions given by the controller.
Traditionally, the contractor has taken on the role as data processor, while the customer has acted as data controller.
– Liability and risk under the GDPR is closely related to the parties’ roles as data controllers or data processors. This often results in tough negotiations, says attorney Thomas Olsen.
However, we have in recent years seen a change in how the market players perceive their own roles and responsibilities under data protection law. This is reflected in the contracts concluded and in the communication to the end users of digital services. What has caused this change?
Before the GDPR, it was in principle the controller that was subject to legal obligations. This changed with the GDPR, which to a greater extent imposes more independent liabilities on processors. The result of increased liability and risk also for processors may have had the effect that some enterprises are more positive to considering taking on the role as data controller.
Moreover, quite a few new digital services could imply attractive opportunities for utilisation of data gathered from end users. Suppliers of these services may not wish to be subject to the customer’s instructions, and independently determine how to utilise the data.
Some contractors, e.g. in banking, finance and audit, are subject to regulatory requirements, and thus they have independent obligations related to processing of personal data.
In such situations, it may be most appropriate and correct to let the contractor act as controller. The fact that the contractor is the controller means that, in principle, the contractor carries the risk that the data processing in the service is lawful. The contractor will also be liable for informing end users and otherwise handle enquiries from end users regarding activities where the contractor is data controller.
If the customer accepts that the contractor acts as data controller for the entire or parts of the processing, the customer’s primary risk lies in having a legal basis for leaving the processing of data regarding customers, employees or other end users to the contractor. In the situation where the contractor acts as data processor, this is solved by establishing a data processing agreement. An agreement may also be required if information is disclosed to a contractor that acts as data controller. Such agreement will not be a data processing agreement, but will often be materially similar to a data processing agreement. These agreements will often stipulate what a contractor may do with data regarding end users (purpose), so that the customer may have the opportunity to review the legality.
The use of controller-controller agreements heralds a challenge for the traditional division between data controllers and data processors. Recent case law from the European Court of Justice also indicates that cooperating actors, more often than in the past, will be regarded as joint controllers. This means that the parties, inter alia, will be joint and solidary liable for compensation claims from affected persons.
Since the parties’ roles under data protection law have such direct impact on the actors’ risk and liability, this issue must be thoroughly assessed before concluding the contract. In some cases, it is necessary to reassess the roles taken in view of new practice.