GDPR: Who is the data controller, who is the data processor and what is the lawful basis?

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. The new regulations place new and greater responsibilities on data processors to comply with data protection requirements.

The six data protection principles

Article 5 of GDPR outlines the six core principles introduced under the new regulations which govern the processing of personal data. These require that personal data must be:

1. processed lawfully, fairly and in a transparent manner;
2. collected for a specified, explicit and legitimate purpose;
3. adequate, relevant and limited to what is necessary for the purpose for which it is processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of data subjects (people, from whom personal data is collected, processed and stored) for no longer than is necessary for the purposes for which the personal data are processed; and
6. processed in a manner that keeps data secure against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Article 5 requires that data controllers must comply with the six principles and demonstrate compliance with the principles.

Who is the data controller?

GDPR defines a data controller as:

“a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.”

(e.g. a business obtaining customer or employee details, or a school, college or university holding student records.)

The role of a data controller is to determine who shall be responsible for compliance with data protection rules and how data subjects can exercise their rights. Putting it simply, they are the manager of personal data, they instruct the processor. The data controller will decide the purpose for which personal data is required and what personal data is necessary to fulfil that purpose.

A data controller will act on their own autonomy. A party constrained in how they can handle personal data is less likely to be a data controller but could be a data processor.

The two simple questions to consider when identifying the data controller are:

1. Why is the personal data being processed?
2. Who proposed that personal data is processed?

Who is the data processor?

GDPR defines a data processor as:

“a natural or legal person that processes personal data on behalf of the data controller.”

A data processor would be a separate business entity (whether a company, partnership or a sole trader) serving the interests and carrying out the instructions of the data controller in its processing of the personal data.

The role of a data processor could include storing data, retrieving data, running the payroll for a business, carrying out marketing activities, or providing security for data.

Scenario

• Toys4you Limited has entered into a contract with Marketing123 Limited, providing clear instruction to Marketing123 to send an email, advertising their new range of toys.
• They provide Marketing123 with an email template and a spreadsheet of personal email addresses (all obtained with valid GDPR consent).
• Toys4you outline the spreadsheet is only to be used for the purpose of sending this advertising email.
• Marketing123 are bound by Toys4you instructions.

In this scenario, Marketing123 is a data processor and Toys4you is the data controller.

What is a lawful basis under GDPR?

In order for a business to process personal data under GDPR, it must have a valid lawful basis. GDPR identifies six lawful bases for processing personal data, these are:

1. Consent;
2. Contract - processing is necessary for a contract with an individual;
3. Legal obligation - processing is necessary to comply with the law;
4. Vital interests - processing is necessary to protect an individual’s life;
5. Public task - processing is necessary for a business to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law; and
6. Legitimate interest - the processing is necessary for a business’ legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect the data subject’s data, which overrides those legitimate interests).

The lawful basis must be determined before data is processed. It is important that this is right first time. Businesses are unable to simply swap to a different legal basis at a later date.

If the business decides to change the purpose for processing the personal data collected, the lawful basis relied upon will require review. Depending on the extent of the change (whether it is compatible with your initial purpose) businesses may be able to rely on the same lawful basis. This is unless the lawful basis is consent, in which case this will need to be refreshed.

You can check online for further advice or contact a member of our Corporate Commercial team to review your existing policies and business terms and conditions.