Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)
Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Determining roles under the GDPR in commercial transactions between businesses (processor, independent controller or joint controller)
  • Key guidance
  • Meaning of controller
  • Meaning of joint controller
  • Independent controllers
  • Meaning of processor
  • Sub-processors
  • Employees
  • Other actors
  • Non-decisive factors in determining roles
  • more

It is vital that natural persons and organisations involved in the sharing or other processing of personal data (referred to simply as ‘parties’ in this Practice Note) understand and identify their roles (eg processor, independent controller or joint controller) under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). The role each party plays will establish the obligations of each party under data protection law and allows the parties to identify the contractual and other risk mitigation steps they should take.

This Practice Note provides practical guidance for a party involved in a commercial transaction between businesses to help them determine their role (and those of counterparties) under the GDPR and covers:

  1. how to determine if a party is a ‘controller’

  2. how to determine if a party is a ‘joint controller’ or ‘independent controller’

  3. how to determine if a party is a ‘processor’ or ‘sub-processor’

  4. the role of employees

  5. factors which are not-decisive in determining roles

  6. the extent to which a party may have multiple roles

  7. how to undertake a process to determine roles

  8. examples of typical roles in commercial agreements

For general guidance on the GDPR regime, the circumstances in which it applies and key GDPR definitions (including ‘processing’ and ‘personal data’), see Practice Notes: The General Data Protection Regulation (GDPR) and Key definitions under the GDPR.

The UK has implemented certain