Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)
Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)
  • Key guidance
  • Meaning of controller
  • Meaning of joint controller
  • Independent controllers
  • Meaning of processor
  • Sub-processors
  • Employees
  • Other actors
  • Non-decisive factors in determining roles
  • more

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

It is vital that natural persons and organisations involved in the sharing or other processing of personal data (referred to simply as ‘parties’ in this Practice Note) understand and identify their roles (eg processor, independent controller or joint controller) under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). The role each party plays will establish the obligations of each party under data protection law and allows the parties to identify the contractual and other risk mitigation steps they should take.

This Practice Note provides practical guidance for a party involved in a commercial transaction between businesses to help them determine their role (and