Data Controller, Data Processor, Joint Controller

By | Wednesday July 22nd, 2015

The new EU Regulation provides for the existence of different roles involved in the processing of personal data :
• Data Controller
• Controller ‘s representative
• Data Processor
• Joint Controller
reflecting , in principle , similar figures in the current legislation .

As already noted in the post of Andrea Reghelin one of the most important innovations in the new EU regulation is a greater responsibility for the other roles apart from the data controller, as the are also called to respond civilly and criminally jointly with them.

The definition of these figures and their respective duties , both in the legislation in force and in the new regulations being defined , often lead to think that such roles are absolute : a subject is a data controller or a data processor (to quote the figures most common ).

In reality this is not true, since the allocation of these roles is linked to a single specific activity or to a set of activities.
For example, any company, regarding the processing of data of its employees, is a data controller.
It could, however, at the same time carry out a number of services on behalf of third parties as a data processor.

So the same person can occupy different roles at the same time for different activities or even for the same activity according to the role as a data controller or data processor .
A large bank could simultaneously take all 4 roles required by law.
For example , the parent company, will assume the role of data controller for most of the activities, but it could be designated as a data processor for those activities , such as personnel management , which it carries out on behalf of other companies and banks in the Group .
Similarly it could play the role of joint controller together with other partners in conducting joint activities.
Finally , for the subsidiary banks present in non-EU countries , it could play the role of Controller ‘s representative .
Within the Banking Group , the parent company may in turn designate data processor operating companies of the group , such as those devoted to the management of information systems or the management of property, creating a web of designations for different activities .

Similarly , and even more complex would be the situation of companies who’s mission is offering outsourcing services to third parties ; almost certainly those companies will be designated as data processors by the many individual customers .
What is the problem that arises in this case ?
A data controller is different from a data processor as it is the first that decides the purpose and methods of data processing

The data processor is defined, in theory , as a mere executor of tasks according to instructions and rules dictated by the data controller .
But what happens when the same operating company , acting as data processor on behalf of several data controllers, has received different instructions from these, perhaps even in conflict between one another ?
The situation could get complicated if the data processor makes use mandatory , for the provision of its services , subcontractors , which may be provided for under agreements with some data controller , but not in the other agreements .

The legislation in force and being finalized, says and defines nothing about this mixture of roles or the other above concerns , leasing to individuals the problem of self-regulation between the parties.

However the heightened responsibility of all the other roles apart from the data controller under the new EU Regulation is making less viable the current practices :

  • the use of a single set of “photocopied” instructions supplied to all the data processors by a single data controller
  • data processors accepting a designation not accompanied by instructions in line with its operating practices

The governing of relations between the parties will therefore most probably become object of much more complex negotiations than the currently are.

Category: Roles and Liabilities Tags: , ,

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.