Controller versus processor

Definition

In this article, we will take a more detailed look at two key concepts of the GDPR where there still seems to be a great deal of confusion: the processor and the controller.

The purpose of the GDPR is to provide a general protective framework for the processing of personal data. There are two actors in that story: the persons whose data are processed (collected, stored, published, etc.), and the persons and/or organisations which organise and carry out that processing. In what follows, we will be primarily concerned with those who are responsible for this processing.

Not everyone who processes personal data is a processor and must adhere to certain principles of the GDPR. A distinction must be drawn between two types of actors who are involved in the processing operation.

The distinguishing characteristic is who is responsible for the aim and means of data processing. This party is called the controller.  It does not matter whether said party processes the data itself or outsources this task to a third party. If the processing is outsourced and the third party has no impact on the aim of the processing, then that party acts in the capacity of a processor.

Here is an example to make this clear.  Company XYZ employs some 30 people. The company collects numerous data on its employees inter alia for payroll purposes.  The company does not however handle the payroll administration and payment of salaries itself but calls on the services of a payroll agency.  That agency therefore receives personal data and instructions from company XYZ and sees to the administration and payment of salaries.  

The roles here are very clear.  The company XYZ determines the aim and means of the processing, i.e. managing the payroll administration, organising an efficient payment of wages, paying social security contributions, etc.  Company XYZ is clearly the controller. The payroll agency has only an operational task and carries out the processing on behalf of company XYZ. In this capacity, the payroll agency is therefore only a processor.

Importance of the distinction

Why is this distinction important? Although both the controller and the processor fall under the scope of the DGPR, the controller’s obligations are far more extensive.  

The qualification therefore determines to a large extent your responsibility under the GDPR and the measures that you have to take. If you are only a processor of data, the risks are limited. If you are the controller, however, then you must make sure that the entire data processing is carried out in a way compliant with the GDPR. If the data processing is not compliant, you run the risk of suffering the consequences and even having to pay hefty fines.

Each organisation that processes personal data will therefore have to carry out an analysis of the different processes and must answer the question as to whether it is the controller or merely the processor.

DNS Belgium recommends that you look at least into the following operational processes in detail:

Personnel policy

  • Which data on my employees do I keep, for what purposes, and who assists me for the processing?
  • Which data do I keep on occasional staff such as consultants, volunteers, interns, working students and temporary employees?
  • Which data do I keep from applications and job interviews, for what purposes and how long?

Invoicing and bookkeeping

  • Which data on my customers do I keep for invoicing purposes and who assists me in drawing up invoices?
  • Which data on my customers and suppliers do I keep for bookkeeping purposes and who assists me with the bookkeeping?

Suppliers

  • Which data on my suppliers do I keep, for what purposes and who assists me for the processing (e.g. external manager of CRM application)?
  • What is the specific relationship with my suppliers?  Do I process data for them or do they process data for me?

Customers

  • Which data on my customers do I keep in order to communicate with them on my offer of products/services? For which purposes do I keep such data and who assists me for the processing thereof (external marketing firm, provider of e-mail applications)?
  • Which data on my customers do I keep for general customer management, for which other purposes, and who assists me for the processing (e.g. external manager of CRM application)?
  • Do I pass data on customers on to third parties (e.g. direct marketing), for which purposes, and who assists me for the processing?

System management

  • Which personal data are logged and processed by my information systems and software applications, for which purposes, and who assists me for the processing?
  • Which personal data are logged or processed by external systems, applications that I use, for which purposes and who assists me for the processing?

Concepts applied on your relationship with DNS Belgium

If you work with DNS Belgium as a registrar, you have concluded an agreement with us to that end. Personal data are processed under this arrangement also, and it is therefore important to analyse the role that both parties play here.

(Personal) data are processed with each new registration, update, or transfer of a .be domain name.  You could consider that it is your customer, and that you are the controller, but that is only partially so.  

The agreement between you and DNS Belgium contains a reference to technical rules that apply to the .be registration process. These technical rules moreover describe which data fields are required to create a registrant contact handle successfully on our registration system. Although you collect personal data from the customer, DNS Belgium determines the aim and means of the processing of said data. In such a case, DNS Belgium is the controller and you assume the task of mere processor.  

The GDPR provides that the controller must conclude a so-called processing agreement with its processor(s). Accordingly, at the end of last year, DNS Belgium sent out a new contract update. The sole purpose of this update was to append the so-called processing agreement as an annex to your registrar agreement.

This is only half of the story! In reality, you are far more than the mere processor of data on behalf of DNS Belgium. For registering and WHOIS, this is clear:  DNS Belgium is the controller and you are merely the processor.  

Suppose that DNS Belgium would impose no technical requirements. Would you then not process the personal data of your customers? The answer is no, because you need such data yourself in order to be able to perform the contract with your customer. You need such elements as the name, address, e-mail address, VAT number, etc. in order to issue the invoice for services provided. You need a credit card number to process payments from your customer. You want to keep the customer’s e-mail address and telephone number so that you can reach him easily in case of problems.  

You are the one who determines the aim and means for all these forms of data processing. In other words, you are the controller. Legally, you are concurrently processor and controller for a quasi-identical set of personal data.

Working with resellers adds an extra dimension to the whole story. In the reseller-registrar- DNS relationship, you are right in the middle. DNS Belgium remains the controller, while you and the reseller are mere processors. However, DNS Belgium has no contractual link with your reseller.

Our advice is for you to conclude a processing agreement with your reseller which constitutes an extension of your registrar agreement. In this way you avoid being held liable for any misconduct on the part of one of your resellers. Furthermore, you have the possibility of terminating the contract with such parties rapidly.

Conversely, a reseller should also conclude a processing agreement with you.  Contrary to the direct relationship between you and DNS Belgium, this does not concern your customers, but your reseller’s customers.  The reseller is the controller, in the same way you are for your customers. So you fulfil only the role of processor in the relationship with the reseller’s customers.

Our advice is as follows: analyse in particular the contractual relations where data processing is involved. In essence, this pertains to your contract with registry operators and possibly ICANN, contracts with data centres, hosting companies and ISPs, contracts with resellers or other subcontractors, contracts with other registrars with whom you work and your data escrow services.

  

ICANN

The Internet Corporation for Assigned Names and Numbers, a non-profit organisation that is responsible worldwide for managing domain names.

WHOIS

Look-up which gives information about the registrant of the domain name, his registrar, the name server and also some information about the domain status. 

registrar

Is the entity that registers a domain name for a company, organization or person. Next to the “resale” of web addresses registrars can also offer hosting services, web design... 

registry

Organisation that handles the registration of domain names. A registry maintains the data base containing information about one (or more) domain name extension(s) as .be, .com, .org, .vlaanderen, etc.

registrant

Domain owner, person who holds a domain name.

Hosting

rent of a physical space to store a web server which is permanently connected to the internet. This service will typically be offered by your Internet Service Provider.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa.