In case of multinational company groups, it is not always easy to determine the capacity in which individual members of the group participate in the processing of the employees’ personal data. Moreover, the company group may use external service providers for certain aspects of the data processing which further complicates the situation. In this article you will find some guidance on how to decide who is a controller, a joint controller or a processor.

Smartlegal Schmidt&Partners reports from Hungary:

  1. Who is a controller? 
    The HR shared service centre of a company group uses an application that keeps track on when an employee of the Hungarian subsidiary needs to go for a medical fitness test. The application was developed by the Indonesian member of the group. As the HR shared service centre has decided to use the employees’ personal data in the medical tracker application and, within that, has decided what personal data to store in the app and for how long, it will certainly be a controller.

A controller is the entity who determines the purposes and means of the processing, i.e. the why and how of the processing[1].

While the controller must always decide on the purpose and the essential means of the processing, the decision on the non-essential means of the processing might be left to the processor.

  • Essential means

Without being exhaustive, the following aspects of the data processing shall be regarded as essential means:

  • whose personal data are processed?
  • which data will be processed?
  • who shall have access to the personal data?
  • for how long shall the data be processed?
    • Non-essential means
      Let’s assume that it was left to the Indonesian developer to decide on the environment in which to develop the medical tracker application and where to store the background data. These issues are rather considered to be non-essential and the decision on them does not make the developer a controller.

Non-essential means concern more practical aspects of the implementation, such as the choice for a particular type of software or the detailed security measures[2]. Even though decision on the non-essential means can be left to the processor, the controller remains responsible for the implementation of appropriate technical and organisation measures.

  • Access is not a must
    For example, during the COVID-19 pandemic, the Lithuanian public health centre entrusted an IT company to create a mobile application for the registration and monitoring of the data of persons exposed to the COVID-19. The public health centre instructed the IT company on several aspects of the app, such as the content of the questions asked. According to the EU Court, this level of influence on the data processing made the public health centre a controller, even though it did not have access to the collected personal data.

It should be mentioned that it is not necessary that the controller has actually access to the personal datathat is being processed. In case a company has decided that a processing operation shall take place and determined the essential means of the processing, it is to be regarded as a controller despite the fact that it will never have access to the personal data.

  1. Who are joint controllers?

In case two or more companies jointly participate in the determination of the purposes and means of the data processing, they shall be considered as joint controllers.

Returning to the medical tracker example, assuming that the Hungarian employer and the HR shared service centre decided together to use the app, there is a joint controllership.

Joint participation can take the form of a common decision where the parties have a common intention and decide together about the purposes and the essential means of the processing.[3]

Nevertheless, joint controllership may result from converging decisions by the participants where the decisions complement each other, and the processing would not be possible without both parties’ participation.[4]

As an example, in case the medical fitness tracker is used by the subsidiaries of the company group separately, and each subsidiary processes data only in relation to its own employees without a common purpose, joint controllership is unlikely to arise.

It is important to note that the use of a common data processing system or infrastructure will not in all cases lead to qualify the parties involved as joint controllers, in particular where the processing they carry out is separable and could be performed by one party without the intervention from the other.[5]

  1. Who is a processor?

A processor is an entity which processes personal data on behalf of the controller. This means that in order to be considered as a processor two basic conditions shall be fulfilled:

  • being a separate entity in relation to the controller and
  • processing personal data on the controller’s behalf[6].
    • Separate entity

A separate entity means that the controller delegates all or part of the processing of personal data to an external organisation. While a department within a company cannot generally be a processor to another department within the same company, within a group of companies, one company can be a processor to another company acting as a controller.[7]

  • On the controller’s behalf

Processing personal data on behalf of the controller means the separate entity processes personal data for the benefit of the controller, following his instructions at least in relation to the purpose and the essential means of the processing.

An extremely important point is that the processor can never determine the purpose of the processing and cannot process the personal data entrusted to him for his own purposes. In case the processor processes the personal data for additional purposes not specified by the controller, this converts him into a controller for this set of processing and would constitute an infringement of the GDPR. At the same time, as mentioned previously, the non-essential means of processing (e.g. the choice for a particular type of software) can be determined by the processor.

  • Processing is key element

It is worth noting that not every service provider that processes personal data in the course of delivering a service is a processor[8].

Where the provided service is not specifically targeted at processing personal data or where such processing does not constitute a key element of the service, and the service provider independently determines the purpose and means of processing, he is rather a controller and not a processor.

Written by Anita Vereb

SMARTLEGAL is a team of agile business & litigation lawyers in Budapest, Hungary, helping international corporate clients and individual entrepreneurs doing business in Hungary. For more information please visit our website at smartlegal.hu

[1] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[2] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[3] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[4] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[5] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[6] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[7] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB

[8] see Guidelines 07/2020 on the concepts of controller and processor in the GDPR by the EDPB