Introduction
This checklist is intended to provide guidance to in-house counsel and private practitioners about how to assess whether an organisation is a controller or a processor under the European Union’s General Data Protection Regulation (EU GDPR) and to assist them when advising internal and external clients on this issue.
This checklist addresses the following topics:
- Determining whether you are a controller
- Determining whether you are an independent controller or a joint controller
- Confirming whether you are a processor
As further set out in the explanatory notes, each section in this checklist sets out criteria that help to determine which organisation makes decisions about the purposes and means of the processing, and whether those decisions are carried out independently or jointly with another organisation.
Under the EU GDPR, every organisation that processes personal data does so as either a controller or a processor. A controller may be either an independent controller or a joint controller. Understanding your data processing role is essential to ensuring you are compliant with your data protection obligations.
Key definitions, such as ‘controller’, ‘processor’, ‘data subject’, ‘personal data’ and ‘processing’ are further explained in How-to guide: Understanding key data protection definitions.
This checklist can also be used in conjunction with Checklist: Lawful processing of personal data under the GDPR.
For simplicity, the term ‘organisation’ is used throughout this checklist; however, it is important to note that a controller or processor can also be an individual such as a sole trader, partner in an unincorporated partnership, or a self-employed professional, provided the material scope of the EU GDPR applies to the processing. As used in this checklist, the term ‘processor’ includes a sub-processor.
Step 1 – Determining whether you are a controller
The questions and outcomes in the table below will help you determine whether you are a controller or a processor in relation to a specific processing activity.
If you answer ‘yes’ to any of the questions, you are likely to be a controller and you should go to Step 2 of this checklist to determine what kind of controller you are.
If you answer ‘no’ to all of the questions, you should go to Step 3 of this checklist to confirm whether you are a processor.
| No. | Question | Response | Outcome |
|---|---|---|---|
| 1.1 | Do you make decisions about whether to process the personal data in the first place? | Yes No | If you answer yes to this, you are likely to be a controller, even if another organisation also does this |
| 1.2 | Do you make decisions about the reasons or objectives for processing the personal data? | Yes No | If you answer yes to this, you are likely to be a controller, even if another organisation also does this |
| 1.3 | Do you make decisions about the type of processing, for example, regarding the type of personal data and the type of data subject? | Yes No | If you answer yes to this, you are likely to be a controller, even if another organisation also does this |
| 1.4 | Do you exercise judgement or discretion when processing the personal data? | Yes No | If you answer yes to this, you are likely to be a controller, even if another organisation also does this |
| 1.5 | Do you make decisions about data subjects during the processing or as a result of outcomes of the processing? | Yes No | If you answer yes to this, you are likely to be a controller, even if another organisation also does this |
| 1.6 | Do you have a commercial interest in or gain a benefit from the processing (other than fees paid to you under a services contract)? | Yes No | If you answer yes to this, you are likely to be a controller; however, answering no to this will not mean you are a processor |
| 1.7 | Do you have a direct relationship (contractual or non-contractual) with the data subject in accordance with which the processing takes place? | Yes No | If you answer yes to this, you are likely to be a controller; however, answering no to this will not mean you are a processor |
| 1.8 | Do you make decisions about the treatment of the personal data (eg, engaging processors, keeping the data secure or data retention periods, etc) without instructions from a third party? | Yes No | If you answer yes to this, you are likely to be a controller; however, answering no to this will not mean you are a processor |
Step 2 – Determining whether you are an independent controller or a joint controller
Once you have determined that you are a controller in relation to a specific processing activity, the table below will help you determine whether you are an independent controller or a joint controller. If you are not a joint controller with one or more other controllers, you will be an independent controller. Do not complete Step 2 without first completing Step 1.
| No. | Question | Response | Outcome |
| 2.1 | Do you share a common objective with one or more other controllers relating to the same set of personal data? | Yes No | If you answer yes to this, you are likely to be a joint controller with the other controller(s) |
| 2.2 | Is your processing of the personal data inseparable from one or more of the other controllers’ processing of the personal data? | Yes No | If you answer yes to this, you are likely to be a joint controller with the other controller(s) |
| 2.3 | Do you make decisions about the purposes of the processing jointly with one or more other controllers? | Yes No | If you answer yes to this, you are likely to be a joint controller with the other controller(s) |
| 2.4 | Do you make decisions about how the personal data is processed jointly with one or more other controllers? | Yes No | If you answer yes to this, you are likely to be a joint controller with the other controller(s) |
Step 3 – Confirming whether you are a processor
If you answered ‘no’ to all of the questions in Step 1, the table below will assist you with confirming whether or not you are a processor in relation to a specific processing activity. The role of a processor is narrow and if you cannot confirm any of the criteria below, you are likely to be a controller. Do not complete Step 3 without first completing Step 1.
| No. | Question | Response | Outcome |
|---|---|---|---|
| 3.1 | You have been engaged by another organisation to assist with the processing on its behalf based on its instructions | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.2 | You have been provided with the personal data by another organisation, or told by the instructing organisation what personal data to collect | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.3 | You may make some decisions as to how the personal data is processed, but such decisions are in accordance with instructions from the instructing organisation | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.4 | You do not have a stake or interest in the results of the processing, other than successfully performing your contractual obligations | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.5 | You do not decide which lawful bases should be relied on for the processing | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.6 | You do not make decisions about sharing the personal data with third parties, other than sub-processors that have been approved by the instructing organisation | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.7 | You do not decide how long the personal data should be retained | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
| 3.8 | You refer requests from data subjects to exercise their rights over their personal data | Confirmed Not confirmed | If you confirm this, you are likely to be processor, otherwise you are likely to be a controller |
Explanatory notes
General notes
Legal framework
This checklist covers the requirements under:
- the EU GDPR; and
- the European Data Protection Board (EDPB) Guidelines 07/2020 on the concepts of controller and processor in the GDPR.
Definitions of processing roles are generally set out in the following:
- article 4(7) EU GDPR – defines a controller as the organisation that determines the purposes and means of the processing of personal data;
- article 4(8) EU GDPR – defines a processor as an organisation that processes personal data on behalf of the controller; and
- article 26(1) EU GDPR – states that where two or more controllers jointly determine the purposes and means of processing, they are joint controllers.
Why it is important to determine your data processing role
Accurately determining the role your organisation plays in relation to personal data processing is a crucial initial step in data protection compliance. This is because your role governs what your data protection obligations are, including what your responsibilities are towards data subjects, data protection regulators and other third parties.
Controllers are ultimately accountable for the processing and have the highest level of responsibility under data protection laws. Processors have less responsibility than controllers but still have a number of direct obligations under data protection laws, as well as contractual obligations to controllers. Data protection regulators and data subjects can take direct action against both controllers and processors for a breach of data protection laws.
Joint controllers have the same obligations as independent controllers, but may allocate responsibility for compliance with specific obligations amongst themselves. However, each joint controller remains ultimately responsible for ensuring compliance with all data protection obligations imposed on controllers.
If you do not accurately determine the roles of the organisations involved in the processing, it is likely you will not be compliant with data protection laws. Therefore, it is essential to keep a documented analysis of your role in relation to each processing activity you are involved in.
How to assess your data processing role
The purposes and means
Assessing whether you are a controller or a processor in relation to a particular processing activity requires an assessment of two key factors:
- which organisation determines the purposes (the ‘why’) of the processing; and
- which organisation determines the means (the ‘how’) of the processing.
The organisation that determines the purposes and means of the processing will be the controller, even if this determination is done in combination with other organisations. An organisation that processes data solely on behalf of another organisation, and does not assist with determining the purposes or means of the processing (other than deciding certain technical elements of the processing) will be a processor.
A factual assessment
You must assess the specific factual circumstances of the processing. An organisation will not be automatically rendered a controller or a processor based on the nature of its business.
While contractual designations of organisations as controllers or processors may be a helpful indicator, they will be superseded by any factual determination to the contrary. For example, if a contract designates an organisation as a processor but that organisation acts like a controller in practice, it will be liable for obligations applicable to controllers under data protection laws.
It is important to note that a factual assessment will not be necessary if controllership has been defined by applicable law (ie, if you are required to process personal data based on a specific statutory obligation). Article 29 of the EU GDPR, states that a processor shall not process personal data except on instruction from a controller, unless required to do so by EU or relevant EU member state law. Many service providers that are typically categorised as processors operate under a range of professional obligations that oblige them to take responsibility for the personal data they process (eg, EU anti-money laundering legislation). In order to meet the requirements of these obligations, such service providers, from time to time, would not be acting on the customer’s (controller) instructions but instead in accordance with their own professional obligations and therefore as controllers in their own right with respect to such limited processing activities.
A granular assessment
Your assessment must be specific and granular to each processing activity. You may be a controller in relation to some processing activities and a processor in relation to others. For example, if you are a processor in relation to customer personal data, you will still be a controller of personal data relating to your employees and certain other operations.
In some circumstances, you may be a controller and a processor of the same set of personal data if you are processing it for different purposes, for example, as a processor for the purposes of independently processing personal data in your own systems where you are not instructed on the processing by the original controller.
What else do organisations have to do to ensure they are compliant?
This checklist is limited to the exercise of determining what your data processing role is, and it does not address what your specific obligations are once you have made that determination. You must ensure you comply with all obligations under data protection laws that apply to your data processing role. For example, chapter IV of the EU GDPR sets out key controller and processor obligations, including how controllers and processors must contract with one another, and how joint controllers must put a transparent and documented arrangement in place.
Notes on specific requirements
Step 1 – Determining whether you are a controller
1.1 Decisions about whether to process the personal data
An organisation that decides whether to process the personal data in the first place, alone or jointly with others, is likely to be a controller. The party instigating the processing will always be a controller and therefore, there will always be at least one controller for every processing activity.
1.2 Decisions about the reasons or objectives for the processing
An organisation that decides what the reasons, objectives or purposes of the processing are, whether alone or jointly with others, is likely to be a controller. It is very unlikely that an organisation would be a processor if it has any degree of influence over the purposes for the processing.
1.3 Decisions about the type of processing
An organisation that decides what type of personal data to process, whether alone or jointly with others, is likely to be a controller. This may include decisions about what categories of data to process and what categories of data subjects the personal data relates to.
1.4 Exercising judgement or discretion during the processing
An organisation that exercises judgement or discretion when processing the personal data, whether alone or jointly with others, is likely to be a controller. For example, an organisation that has been engaged to provide professional services (such as accountancy services or legal services) to another organisation has various professional obligations that it must meet in relation to the client information it holds. In these circumstances, the professional services firm cannot rely solely on the instructions from the other organisation, and it will be a controller of the personal data.
1.5 Decisions about data subjects based on the processing
An organisation that makes decisions about data subjects during processing or as a result of the processing, whether alone or jointly with others, is likely to be a controller. For example, a talent agency that has been engaged to source and manage actors for a TV production company will make decisions about which data subjects are recruited and for which kinds of roles. Accordingly, the talent agency will be a controller of the actors’ personal data.
1.6 Commercial interests and benefitting from the processing
An organisation that has a commercial interest in the processing or gains some other kind of benefit from the processing is likely to be a controller. For example, an organisation that places third-party cookies on its website to track the preferences of users and carry out targeted advertising will derive a commercial benefit from the advertising. Accordingly, the organisation will be a controller of the users’ personal data.
The fees paid by a controller to a processor under a services contract should not be considered when determining whether there is a commercial interest or benefit to the processor.
Importantly, while a commercial interest or benefit is a useful indicator in determining if an organisation is a controller, its absence does not mean that an organisation is a processor.
1.7 Direct relationship with the data subject
During processing, if an organisation that has a direct relationship with the relevant data subject, it is likely to be a controller. This relationship may be contractual or non-contractual in nature. For example, an employer is generally always a controller in relation to the processing of its employees’ personal data, and a retailer is likely to be a controller in relation to the processing of its customers’ personal data.
Importantly, while a direct relationship with the data subject is a useful indicator in determining if an organisation is a controller, its absence does not mean that an organisation is a processor. In some circumstances, an organisation may not even have access to the personal data being processed, but they will still be a controller because they determine the purposes and means of the processing.
1.8 Decisions about the processing
During processing, if an organisation makes its own decisions about the processing, for example, engaging sub-processors (who to engage and when), what technical and organisational measures are taken to protect the personal data, how long the personal data is retained for, etc. without any instructions from another party, then that party will be acting as a controller.
It is worth noting that regarding the engagement of processors, Art 28(1) GDPR requires that a controller should undertake due diligence on its sub-processors, only using sub-processors ‘with sufficient guarantees to implement appropriate and technical organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’. Art 28(3) GDPR sets out the minimum requirements that are to be included in a data processing agreement with the sub-processor.
Step 2 – Determining whether you are an independent controller or a joint controller
2.1 Sharing a common objective with other controllers
An organisation that shares a common objective with one or more other controllers with respect to the same set of personal data is likely to be a joint controller. A common objective may take the form of an intentional common decision made by two or more organisations to process personal data jointly. Alternatively, it may take the form of the converging decisions of two or more organisations where those decisions complement each other to result in a mutual benefit, provided that each organisation has a stake in the common purposes and means of the processing.
2.2 Inseparable processing activities
Another way of thinking about a common objective is to consider whether the processing is inseparable from the processing of the other controller, such that it would not be possible without the participation of both controllers. If an organisation’s processing activities are inseparable from, or inextricably linked with, those of another controller, it is likely to be a joint controller. Likewise, if an organisation’s processing activities can be performed without intervention or contribution from another controller, it is likely to be an independent controller.
2.3 Joint decisions about the purposes of the processing
An organisation that makes decisions about the purposes of the processing jointly with one or more other controllers is likely to be a joint controller. Organisations do not need to have the same level of influence over the determination of the purposes of the processing to be joint controllers. If the controllers jointly determine the purposes in relation to some stages of the processing activity but not others, the joint controllership will apply only to those stages of the processing where the controllers act jointly.
2.4 Joint decisions about the means of the processing
An organisation that makes decisions about the means of the processing jointly with one or more other controllers is likely to be a joint controller. Organisations do not need to have the same level of influence over the determination of the means of the processing to be joint controllers. If the controllers jointly determine the means in relation to some stages of the processing activity but not others, the joint controllership will apply only to those stages of the processing where the controllers act jointly.
Step 3 – Confirming whether you are a processor
3.1 Engaged by another organisation to assist with the processing on its behalf
A processor is always engaged by another organisation to assist with the processing on the organisation’s behalf and solely in accordance with its instructions. The instructing organisation may be either a controller (in which case the instructed organisation will be a processor) or a processor (in which case the instructed organisation will be a sub-processor and the instructions will be passed down from an ultimate controller).
It is an important requirement that the two organisations are separate entities from one another. A department within an organisation cannot be a processor to another department within the same organisation, and the employees of a controller cannot be the processors of the controller. In both cases, the parties are part of the same controller entity. An organisation can be a processor to another organisation within the same company group, provided that they are separate entities.
3.2 Provided with the personal data or told what to collect
A processor is always either provided with personal data that has already been collected or told what personal data to collect. The processor may have some limited discretion over the technical means of how the personal data is collected (see section 3.3) but it does not exercise judgement over what is collected.
3.3 Decisions about the means of the processing in accordance with another organisation’s instructions
There is some flexibility for a processor to make some decisions regarding how the personal data is processed from a technical and organisational perspective. However, such decisions must always remain in accordance with the instructions given to the processor.
It can be helpful to consider means as being either ‘essential’ or ‘non-essential’, whereby a processor may be permitted to determine non-essential means, but if it determines any essential means, it will be a controller instead. Essential means relate closely to the lawfulness of the processing (eg, whose personal data is collected), while non-essential means concern practical aspects of processing (eg, which IT system to use or the methods for deleting personal data).
3.4 Stake or interest in the results of the processing
A processor is unlikely to have a stake or interest in the end results of the processing activity, other than successfully performing its contractual obligations.
3.5 Decisions about lawful bases relied on for the processing
A processor does not make decisions about which lawful basis is appropriate to rely on for a specific processing activity; this is the responsibility of the controller. A processor does not need to establish its own lawful basis.
3.6 Decisions about disclosing the personal data to third parties
A processor does not make decisions about disclosing personal data to third parties. However, a processor may choose to engage a sub-processor to assist with the processing in accordance with the instructions from the instructing organisation, provided such sub-processor has first been approved by the instructing organisation.
3.7 Decisions about how long the personal data should be retained
A processor does not make decisions about how long the personal data should be retained. A processor will be obliged to delete or return the personal data at the end of the engagement and/or at points throughout the engagement; however, such actions will always be at the direction of the instructing organisation.
3.8 Referring data subject requests to another organisation
A processor does not respond to requests from data subjects to exercise their rights over their personal data, other than in a limited operational capacity, for example, to confirm which processing relationship the data subject request is relevant to. Otherwise, a processor refers all data subject correspondence to the instructing organisation.
Additional resources
Related Lexology Pro content
How-to guides:
Understanding key data protection definitions
How to comply with data processing principles under the GDPR
How to ensure compliance with the GDPR
How to establish a valid lawful basis for processing personal data under the GDPR
How to transfer personal data lawfully outside the European Economic Area
How to reduce the risk of a GDPR data breach
How to deal with a GDPR data breach
How to deal with a supervisory authority dawn raid
Checklists:
GDPR compliance self-assessment audit
Lawful processing of personal data under the GDPR
Obtaining and managing consent under the GDPR
Processor due diligence (data protection and cybersecurity)
Making an international transfer of personal data under the GDPR
Data subject access rights under the GDPR
What to include in your organisation’s privacy notice
When and how to appoint a data protection officer
Complying with cookie requirements under the ePrivacy Directive and the GDPR
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.