Press "Enter" to skip to content

Whose Decision is it Anyway?

Controller/Processor determinations

(a.k.a how a data protection anorak spends their leisure time)

Following a lot of pre-GDPR kerfuffle online about Data Controller/Data Processor relationships (and the varying degrees to which these are direly misunderstood), I spent a geeky Sunday night putting together a decision tree tool which should – hopefully – help people who are getting confused/panicked/deeply weary of the search for answers.

It’s not intended to be legal advice, it’s not formal advice from me as a consultant and it’s not guaranteed to be absolutely 100% perfect for every possible scenario. It’s designed for the low-hanging fruit, the straightforward relationships (like standard commercial supply chain) rather than the multi-dimensional nightmare data sharing behemoths one tends to find in the public sector.

Anyway, here it is. Enjoy. If you like it, please tell others where to find it. If you have constructive criticism (that’s not “oh you missed out this incredibly niche complex scenario that would only ever happen every 100 years”) please tell me.

The Tool

 

Here are also some useful links:

https://ico.org.uk/media/about-the-ico/consultations/2014789/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf

http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf

Who’s in Control?

9 Comments

  1. John John 2018-05-14

    With or without permission?

    • Miss Info Geek Miss Info Geek 2018-05-14

      I’m not sure what you’re asking – permission from/by whom? For what?

  2. BRETT ARELLANO BRETT ARELLANO 2018-05-14

    Love what you do Rowenna. I got an interesting question the other day in terms of a data controller/employer and 3rd party processors relating to employment. I’ve thought long and hard about it, but would love to hear your take. So an office secretary books a hotel for a member of staff who is travelling on business. In doing so, she submits the employees name, mobile number and email address. Does the employer as controller need to have a 3rd party processing agreement with the hotel? Or is it enough for the employer to advise the employee in the privacy policy that their details may be processed by 3rd parties under legitimate interests?

    • Miss Info Geek Miss Info Geek 2018-05-16

      H’mm, possibly legitimate interests or more likely the basis of a contract to which the data subject is party. The hotel wouldn’t be a Data Processor as their purposes and means of processing will be very different to the employing organisation’s. Separate Data Controllers, I think.

  3. Chris Chris 2018-05-14

    In the Instance of B2B businesses – how would you describe the relationship whereby there is a company (company A) that processes data and sales, and delivers a consumable product to company B.

    However Company A processes data about some of Company B employees.

    Company B – is stating that they are a controller as the data is passed to Company A (however initially acquired via third party brokers) and that Company A is a processor to company B.

    My Understanding is that Company A is a controller and company B has no bearing on Company A, as any PII has been gathered from third parties, and if company B has provided any PII this was the individual doing so,

    • Miss Info Geek Miss Info Geek 2018-05-16

      Don’t get hung up on B2B – that’s only relevant when looking at unsolicited direct marketing by electronic means. The question is impossible to answer without taking a detailed look at the data flows, purposes and circumstances. If Company A merely has a list of contacts at Company B for the purpose of administering the business relationship then they are likely separate Data Controllers.

  4. John John 2018-05-15

    In the third down slide above is not clear. I assume it is with or without permission. Thanks nice app.

    • Miss Info Geek Miss Info Geek 2018-05-16

      I’m sorry, not sure what you mean by ‘3rd down slide above is not clear” – could you elaborate?

  5. John John 2018-05-15

    Is on page after page with slide and choice “my organization is processing personal information.”

Leave a Reply

Your email address will not be published. Required fields are marked *

WARNING - this site sets cookies! Unfortunately, I am unable to disable some of the inbuilt tracking without killing the site content. tell me more

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close