Data controllers and processors: Liability roles in data protection

This article talks about roles and responsibilities of data controllers and data processors and the direct obligations on data processors in binding contracts. Due diligence on vendors and other third-party services is illustrated, as well as the non-transferrable liability within contracts under the GDPR and its implications.


In this blog post, we'll cover:

Roles and responsibilities of a Data Controller: The fundamentals

Data controllers and data processors are both important terms which define the role of an organization in a data processing relationship. A data controller is a person or organisation who determines the purposes and ways in which personal data is processed. The data processor, however, is anyone who processes personal data on behalf of the data controller.

Often, a data controller will carry the primary responsibility to uphold and apprehend data protection principles. It is the primary responsibility of a data controller to implement safeguards to protect the processing of personal data from participating parties and individuals. Data controllers could also be held liable to data subjects for any non-compliance of a data processor.

Thus, data controllers are expected to work with data processors who have the appropriate technical and organisational measures in place to comply with the data protection law. Processors, however, are also expected to follow relevant guidelines to demonstrate their own compliance with data protection law, as well follow the processing instructions received from the data controller.

What are the direct obligations of Data Processors?

Data Processors have specific and direct obligations regarding personal data. They must always enter into binding contracts with the data controller to maintain data security and implement adequate technical and organisational measures. Their work must evidence accountability, and they need to be prepared to be audited at any given time.

The International Data Transfers rules must also be considered for optimal compliance. In particular, if a Processor’s duties are outsourced and the outsourcing service is based in the UK or EEA, they must be prepared to demonstrate that the correct safeguards are in place to secure the personal data while it is being processed in a third country. Processors must follow the instructions of a data controller unless data protection infringements have otherwise been identified and communicated to the data controller.

In some cases, processors might engage sub-processors. Therefore, it is advised that data processors do not engage sub-processors without the controller’s authorisation unless otherwise stipulated in the contract. When sub-processors are involved, the data processor is fully liable to the Controller for the sub-processor's compliance. Under Article 82(5) of the UK GDPR, if a sub-processor is at fault, the data controller may claim back compensation from the data processor for their sub-processors failings.

Watch video: Liability in data protection

Can a processor be held liable for non-compliance?

A data processor could be liable for breach of contract if the event of failure to comply with the instructions imposed on by the data controller and with the contractual terms agreed with the controller.

In cases of failure to comply with the law, the data processor will be subject to investigative and corrective actions taken against them – such corrective actions may impose administrative fines, including any other penalties.

Finally, the Data Processor can face legal claims filed against them by any individual whose data they process. For example, Article 82 of the UK GDPR imposes liability to pay compensation for any distress or non-material damage caused to the individual.

Data processors should keep in mind that if they begin to determine the means of the processing, they will be considered a controller in respect to that processing.

Sub-processor's liability for non-compliance

Sub-processors may also be held liable when they fail to comply with any legal obligations imposed on data processors or if they act above and beyond the Data Controller’s instructions.

Data processors are to be held liable to the data controllers for a subprocessor’s shortcomings. Under Article 82(5) of the UK GDPR, the data controller can claim compensation from the processor for any failures of the subprocessor. The subprocessor itself also has contractual obligations to the Data Processor where a subprocessing contract is established.

The processor must impose the same data protection obligations as the controller. In the subprocessing contract, the processor should establish the instructions it receives from the controller.

 

 

What does due diligence in services mean?

Another important topic in data protection is due diligence in services, an area in which parties often fall short. Like any other commercial relationship, a due diligence process should be carried out before engaging any third party and wherever the processing of data is involved.

Such due diligence processes should answer:

  • What is the vendor’s market reputation?
  • Where is the vendor based?
  • What is the vendor’s proximity to the individuals?
  • What financial resources does a vendor have

Usually, organisations will create vendor risk assessments, which assess the privacy program of the vendor. Assessments also help the contracted party identify any areas of risk and concerns. Such risks can be anything from packing, theft and unauthorized access, and misuse of data.

By the way: If you want to assess your own business in terms of the ISO 27001 certification, which plays an important role also in a Due diligence process, feel free to use our free readiness assessment.

Once a list of risks has been compiled, a data protection impact assessment may as well be carried out to understand the level of risk and find ways for risk mitigation.

In cases where a Data Controller wants to engage a Data Processor who has had multiple data breaches in the past few years, the Data Controller may wish to implement stricter instructions on that particular processor. These include strict technical and organisational measures that are to be regularly reviewed by the Controller itself.

A data protection assessment should ask questions to assess the risk appetite of third parties such as:

  • Does any part of the processing pose risks of non-compliance with the UK GDPR and Data Protection Act 2018?
  • Who is responsible for these areas of non-compliance?

Misjudging risks often results in high costs and losses. These include statutory compensation, regulatory actions carried out by the ICO, and actions brought in by other regulatory bodies. Such bodies include the Financial Conduct Authority or the Gambling Commission for anti-money laundering and data protection due-diligence checks.

Get your consultation on data protection

Liability in the contract between a Controller and a Processor is not transferable. A Data Processing Agreement is a legally binding contract and may include limitations of liability and indemnity terms. However, under the UK and EU GDPR, it is impossible to relieve either party of their legal responsibility. If personal data is not lawfully processed, the individual has a legal right to compensation.

It is important to highlight that there are no circumstances under which a Data Controller can exclude liability to an individual or a supervisory authority and this is also applicable where an incident occurs from a data processor’s fault.

Do you have unanswered questions about a Data Controller or Data Processor? Contact one of our experts for a free consultation.

 

 

Image CTA Expert Male 2 Image CTA Expert Male 2 MOBILE

Recommendations for International Data Transfers

Learn what measures you need to consider as a Data Processor.

Get your free guide

About the author

DataGuard Privacy Experts DataGuard Privacy Experts
DataGuard Privacy Experts

Dive into the world of data protection, compliance, ethics, and data security with hands-on advice and actionable opinions from our certified Data Protection Officers and Privacy Consultants from Germany, the UK, and Austria. Coming from a wide range of backgrounds like business, legal, tech, or marketing, our specialists share the latest news and solutions to current challenges, as well as their takes on recent judgements and legal decisions with you. Their aim? Enable you to make the right decisions and keep your business safe, build trust, and grow revenue while remaining compliant with current privacy laws. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional/Europe (IAPP), Certified Information Privacy Manager (IAPP) Information Security, Certified Information Privacy Technologist (IAPP), Certified Practitioner in Data Protection (BCS), Certified Data Protection Officer (TÜV), Fellow of Information Privacy (IAPP), Certified EU General Data Protection Regulation Practitioner (IBITGQ), Data Protection Officer & Europrivacy Auditor, Practitionier Certificate in Data Protection, PC.dp. (GDPR)

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk