Controller or processor: what is your role under the AVG?

Although the distinction is often enough clear at first glance, the development and use of new ICT products and services create new roles and responsibilities, where it is not always clear who is the controller, and who is possibly a processor. Determining your role under the AVG is important, however, now that many of the obligations rest solely on the data controller.

Definitions
Under the AVG, the controller is "a natural or legal person, a government agency, a department or another body which, alone or jointly with others, determines the purposes and means of processing personal data." A processor, on the other hand, is the person who processes personal data on behalf of the controller.

Thus, the data controller is primarily the party that decides to process personal data for its own purposes. To determine whether a party qualifies as a data controller, the first step is to answer the questions "Why is this processing taking place?" and "Who initiated it?"

For example, in assessing who is the data controller, it can take place on the basis of an explicit legal authority. This situation occurs when a certain power, task or duty involving the processing of personal data is explicitly assigned to the controller. For example, the processing of personal data by the Tax Authority.

Responsibility may additionally arise from an implied authority. This situation occurs when there is no explicit authority to process personal data, but based on common legal rules and the standards that apply in society, the processing responsibility belongs to a specific natural or legal person. Consider, for example, an employer that processes the data of its employees or an association that processes the data of its members.

Finally, responsibility for processing can be determined by reference to actual influence. In many cases, this involves an assessment of the contractualrelationships between the various parties involved. This may involve looking at the division of responsibilities in the contract. However, the provisions of a contract are not decisive, because contracting parties would then be able to allocate responsibilities as they see fit. In addition to the terms of a contract, other facts are important in determining who is responsible for the processing, for example, the degree of actual control of a party, the image presented to data subjects and reasonable expectations of data subjects based on this visibility. Other practical indications of a party's responsibility include:

• - determining what data are being processed;

• - determining retention periods;

• - control over data access;

• - control over the information provided to the data subject;

• - control the disclosure of data to third parties and/or to parties in countries outside the EU.

Thus, the controller is the one who decides whether, and if so, what data will be processed, for what purpose and in what manner, while the processor is the one who processes personal data on behalf of the controller. The service provided by the processor must be aimed at carrying out a particular processing of personal data for the benefit of the client. Once the data processing is an outgrowth of another form of service, the service provider is responsible for it.

If a contractor has influence over the purpose and can process data (also) for its own purposes, for example by using the received personal data for product improvement, then it would be responsible for a different processing and all obligations of the AVG would apply to it.

Practical Examples
Of course, the Autoriteit Persoonsgegevens ("AP") has had to assess the privacy role of parties on several occasions.

Snappet
In 2014, the AP published an investigation into Snappet's processing of personal data. Snappet leases tablets to elementary school, with built-in educational software (apps). The tablets are aimed at children in grades 4 to 6, ages 7 to 9. On the Snappet tablets, children can do reading and practice subjects such as language, spelling, math and reading.

According to Snappet, it is a processor and the schools are the controllers, but the AP thinks otherwise. Based on the factual circumstances, the AP found that Snappet has so much control over these purposes of data processing that it does not qualify as a processor. Due to the lack of a specific written mandate (from the majority of schools), the starting point should be that Snappet is the controller of the data processing. In addition, Snappet also has its own business interest in this data processing, namely to be able to recommend additional or alternative modules.

Bluetrace
A year later, in 2015, the AP published an investigation into Bluetrace, a company that provides and installs Wi-Fi tracking technology in and around stores in the Netherlands. Also in this case, the AP ruled that Bluetrace incorrectly classified itself as a processor:

"Bluetrace involves a relationship between client and contractor. Bluetrace's clients hire the company to set up a Wi-Fi tracking system for them and provide related services. As such, Bluetrace's services do not primarily consist of data processing. Data processing is an outgrowth of the service for which the company is hired by clients, namely installing Wi-Fi tracking systems in and around stores, generating measurement data and analyzing, managing and storing it. [...] According to the explanatory memorandum to the Wbp, the circumstance that the data processing is a corollary of the service rather than a primary activity is an indication that there is no data processing within the meaning of the Wbp."

Bluetrace determines substantial aspects of data processing in Wi-Fi tracking. The fact that this case involves a client-contractor relationship would seem to indicate that the responsibility for data processing lies with the commissioning party that initiates it. But because Bluetrace itself determines what kind of data it processes, for how long and by what technical means, the responsibility lies primarily with Bluetrace. Bluetrace also has actual management of all stored data from tracking activities and control over any retention periods to be used. Bluetrace processes measurement data for the purpose of providing business data to the client. This is its own purpose, determined by Bluetrace, with which the company provides a value-added service to its clients. Without the data analysis, Bluetrace would only be able to submit raw measurement data to the client and there is hardly any business-economic information. This does not detract from the fact that the company wants to serve clients with this. The client then determines how the business economic information provided by Bluetrace is applied in the company. Finally, it is important that Bluetrace has made independent decisions about whether or not to provide data to third parties and/or investigation services.

Uber
In late 2018, the AP fined Uber B.V. (NL) and Uber Technologies Inc (US) €600,000 for violating the data breach notification obligation. In a processor agreement, Uber NL and Uber US had agreed that Uber NL is the controller of personal data it collects and processes from data subjects outside the US and that Uber US acts as a processor on behalf of Uber NL.

In the case of corporate relationships, the legal entity under whose authority the operational data processing takes place is considered the data controller. In this case, the AP notes that the privacy and information security policy is (partly) drafted by Uber US. Additionally, backups are made which are stored in the United States and is Uber US which has entered into an agreement with Amazon to store backups. Finally, the Uber app was developed by Uber US and is also offered by Uber US. The AP therefore finds that Uber NL and Uber US are to be considered jointly responsible. Thus, the processor agreement is not decisive.

Conclusion
The meaning of the terms controller and processor remained unchanged with the advent of the AVG. A pity, because the AVG would have been the pre-eminent opportunity to provide more clarity on this point. All in all, based on the above, it does matter that the puzzle is put together so that parties can identify their legal obligations.

More items from SOLV

This article can also be found in the AVG file