Question

The introduction of GDPR and the Data Protection Act 2018 represents a fundamental
shift in the obligations to data subjects between data controllers and data processors.

Critically evaluate the above statement in the light of the introduction of GDPR and the
UK Data Protection Act 2018.

3,072 words (within the 10% allowance)

Introduction

Europe has entered another phase of data protection law, with the European Union (EU)’s
Regulation 2016/679 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data (General Data Protection Regulation, or the
‘GDPR’) coming into force on 25 May 2018.

The GDPR repeals the EU Directive 95/46/EC on the protection of individuals with regard to the
processing of personal data and the free movement of such data (the ‘Directive’), although the
objectives and principles of the Directive remain sound1 and therefore are still relevant to a
certain extent.

Unlike the Directive which required further implementation in each Member State by way of
national law, as an EU Regulation the GDPR has immediate binding effect and is automatically
applicable in all Member States of the EU including the UK – at least prior to Brexit.
Nonetheless, Member States are allowed to set out exemptions and to supplement the
requirements of the GDPR under the national law.

In the UK, this is performed via the Data Protection Act 2018 (the ‘DPA 2018’) - which replaces
the Data Protection Act 1998 (the ‘DPA 1998’) and came into effect on the same date as the
GDPR i.e. on 25 May 2018. The DPA 2018 provides the framework for data protection law in
the UK, as it complements the GDPR and tailors how it applies in the UK.2 It provides
exemptions to the GDPR as well as separate data protection rules for law enforcement
authorities, extends data protection to some areas such as national security and defence, and sets
out the Information Commissioner’s functions and powers.3

The concept of data controllers and data processors was nothing new – they were incorporated
under the Directive and the DPA 1998. However, it is the GDPR which imposes direct
responsibilities on the data processors for the first time.4 Under the GDPR, processors have

1
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data (General Data
Protection Regulation, or the GDPR) Recital 9.
2
Information Commissioner’s Office, ‘About the DPA 2018’ <https://ico.org.uk/for-organisations/guide-to-data-
protection/introduction-to-data-protection/about-the-dpa-2018> accessed 10 May 2018.
3
ibid.
4
Damien Welfare and Peter Carey, ‘Territorial Scope and Terminology’ in Peter Carey (ed), Data Protection A
Practical Guide to UK and EU Law (Oxford University Press 2018).

1
specific obligations towards data subjects and are directly subject to regulation by the
Information Commissioner’s Office (the ‘ICO’).5 Previously, only data controllers are under
such obligations and scrutiny. Consequently, the DPA 2018 adopts this principle with some
adjustments.

In light of the introduction of the GDPR and the DPA 2018, this essay will critically evaluate the
fundamental shift in the obligations to data subjects between data controllers and data processors.

Controller

In the GDPR, controller is defined as ‘the natural or legal person, public authority, agency or
other body, which, alone or jointly with others, determines the purposes and means of the
processing of personal data’.6 An almost identical definition of ‘controller’ can be found in the
Directive under Article 2(d).

Further, where the purposes and means of such processing are determined by EU or Member
State - or in this case, UK - law, that law may also determine who the controller is. 7 The GDPR
will apply to controllers based in the EU, regardless of whether the processing takes place in the
EU or not.8 It also applies to controllers based outside the EU but who are processing personal
data of data subjects residing in the EU in relation to the monitoring of the data subjects’
behaviour or to the offering of goods or services.9

The DPA 2018 amends the GDPR definition slightly in the UK context over minor differences
relating to the Crown and to Parliament (Section 6).10 Section 6(2) further provides that where
personal data is processed only for the purpose of a statutory requirement, the DPA 2018
proposes that the UK will treat the person who has the duty to process the data as the
controller.11

The first and foremost role of a controller is to allocate responsibility, i.e. by determining who
shall be responsible for compliance with data protection rules, and how data subjects can
exercise the rights in practice.12 As such, a controller is responsible for ensuring that its
processing – including any processing carried out by a processor on its behalf – complies with
the GDPR.13

5
Information Commissioner’s Office, ‘Controllers and processors: What’s new under the GDPR?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
controllers-and-processors/what-s-new-under-the-gdpr> accessed 24 April 2019.
6
GDPR, Article 4(7).
7
Welfare and Carey [n4].
8
GDPR, Article 3(1).
9
ibid, Article 3(2).
10
ibid.
11
ibid.
12
Article 29 Data Protection Working Party 00264/10/EN WP 169 Opinion 1/2010 on the concepts of “controller”
and “processor” adopted on 16 February 2010 [2010].
13
Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are a controller?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
controllers-and-processors/what-does-it-mean-if-you-are-a-controller> accessed 24 April 2019.

2
The responsibilities of controller under the GDPR include the following:14

1. Compliance with the data protection principles: compliance with data protection
principles listed in Article 5 of the GDPR.
2. Rights of the data subjects: ensuring that data subjects can exercise their rights regarding
their personal data, including the rights of access, rectification, erasure, restriction, data
portability, objection and those related to automated decision-making.
3. Security: implementing appropriate technical and organisational security measures to ensure
the security of personal data.
4. Choosing an appropriate processor: responsible for assessing – by taking into account the
nature of the processing and the risks to the data subjects - that their processor is competent
to process the personal data in line with the GDPR requirements. A controller can only
choose a processor that provides sufficient guarantees that they will implement appropriate
technical and organisational measures to ensure that their processing meets GDPR
requirements.
5. Processor contracts: obligation to enter into a binding contract or other legal act with their
processors, which must contain a number of compulsory provisions as specified in Article
28(3) of the GDPR.
6. Notification of personal data breaches: responsible for notifying personal data breaches to
the ICO and, where necessary, other supervisory authorities in the EU, unless the breach is
unlikely to result in a risk to the rights and freedoms of individuals. In addition, the controller
is also responsible for notifying affected data subjects if the breach is likely to result in a high
risk to their rights and freedoms.
7. Accountability obligations: compliance with the GDPR accountability obligations, such as
maintaining records, carrying out data protection impact assessments (DPIAs) and appointing
a Data Protection Officer (DPO).
8. International transfers: compliance with the GDPR restrictions on transfers of personal
data outside the EU.
9. Appointing a representative within the EU: if a controller is based outside the EU but offer
services to or monitor data subjects inside the EU, it may need to appoint a representative in
the EU.
10. Co-operation with supervisory authorities: obligation to cooperate with supervisory
authorities - such as the ICO in the UK – and help them perform their duties.
11. Data protection fee: obligation to pay a data protection fee to the supervisory authority –
such as the ICO in the UK – unless it is exempt.

Joint controllers

Where two or more controllers jointly determine the purposes and means of processing, they
shall be joint controllers.15 Joint controllers decide the purposes and means of processing

14
ibid.
15
GDPR, Article 26(1).

3
together since they have the same or shared purposes.16 They cannot be joint controllers if they
are processing the same data for different purposes.17

Joint controllers shall decide their respective responsibilities in terms of their GDPR controller
obligation. Nonetheless, each controller remains responsible for compliance with all GDPR
controller obligations.18

The agreed roles and responsibilities of the joint controllers in complying with the GDPR must
be set out in a transparent agreement, which main points should be made available to data
subjects e.g. in the privacy information. Joint controllers may specify a central point of contact
for individuals. However, data subjects must remain entitled to exercise their rights against each
controller.19

Processor

The GDPR defines processor as ‘a natural or legal person, public authority, agency or other body
which processes personal data on behalf of the controller’.20 Based on this definition, a processor
is a separate individual or legal entity to the controller21 that processes data based on the mandate
and instructions given by the controller.22

Under the previous Directive and the DPA 1998, processors were not subject to any direct
statutory obligations towards the data subjects. The GDPR has changed that, making processors
jointly and severally liable with controllers in their direct obligations towards the data subjects.23

Accordingly, a processor has the following obligations:24

1. Controller’s instructions: to process personal data only on instructions from the controller
(unless otherwise required by law). Once a processor acts outside its instructions or process
for its own purposes, the processor will step outside the role of processor and become a
controller for that processing.

16
Information Commissioner’s Office, ‘Controllers and processors: What are ‘controllers’ and ‘processors’?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
controllers-and-processors/what-are-controllers-and-processors> accessed 24 April 2019.
17
ibid.
18
Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are joint controllers?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/controllers-and-processors/what-does-it-mean-if-you-are-joint-controllers> accessed 24 April 2019.
19
ibid. Also see GDPR, Article 26.
20
GDPR, Article 4(8).
21
Suzanne Rodway and Peter Carey, ‘The Nature of a Processor’ in Peter Carey (ed), Data Protection A Practical
Guide to UK and EU Law (Oxford University Press 2018).
22
GDPR, Article 28.
23
[n21].
24
Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are a processor?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
controllers-and-processors/what-does-it-mean-if-you-are-a-processor> accessed 24 April 2019.

4
2. Processor contracts: to enter into a binding contract with the controller. The contract must
contain a number of compulsory provisions and the processor must comply with its
obligations under the contract.
3. Sub-processors: not to engage another processor i.e. sub-processor without the controller’s
prior specific or general written authorisation. If authorisation is given, the processor must
put in place a contract with the sub-processor with terms that offer an equivalent level of
protection for the personal data as those in the contract between you and the controller.
4. Security: to implement appropriate technical and organisational measures to ensure the
security of personal data, including protecting against accidental or unlawful destruction or
loss, alteration, unauthorised disclosure or access.
5. Notification of personal data breaches: to notify the relevant controller without undue
delay once the processor becomes aware of a personal data breach. Most controllers will
expect to be notified immediately, and may contractually require this, as they only have a
limited time in which to notify the supervisory authority such as the ICO. The processor must
also assist the controller in complying with its obligations regarding personal data breaches.
6. Notification of potential data protection infringement: to notify the controller
immediately if any of their instructions would lead to a breach of the GDPR or local data
protection laws.
7. Accountability obligations: to comply with certain GDPR accountability obligations, such
as maintaining records and appointing data protection officer.
8. International transfers: as the GDPR’s prohibition on transferring personal data outside the
European Economic Area (EEA) applies equally to processors as it does to controllers, the
processor must ensure that any transfer outside the EEA is authorised by the controller and
complies with the GDPR’s transfer provisions.
9. Appointing a representative with the EU: a processor may need to appoint a representative
in the EU if it is based outside the EU but is involved in offering services to or monitoring
individuals inside the EU.
10. Co-operation with supervisory authorities: obligation to cooperate with supervisory
authorities such as the ICO to help them perform their duties.

GDPR obligations of controllers and processors towards data subjects: what’s shifting?

The Directive

Under the Directive, processors as a rule should only be indirectly accountable for compliance
obligations.25 They were, in effect, the agent of the controller who was solely responsible for
regulatory compliance.26

The one liable for data protection breach was always the controller.27 In terms of direct liability,
the Directive prescribed that only the controller would be directly liable to data protection
authorities as well as to data subjects for non-compliance.

25
Brendan Van Alsenoy, ‘Allocating responsibility among controllers, processors, and “everything in between”: the
definition of actors and roles in Directive 95/46/EC’ [2012] 28 Computer Law & Security Review 25, 26.
26
Sahar Bhaimia, ‘The General Data Protection Regulation: the Next Generation of EU Data Protection’ [2018] 18
(1) Legal Information Management 21, 26.
27
[n12].

5
In the ever increasing complexity of data processing activities, the difference between data
controller and processor is not always so clear cut. The Directive provided a certain guideline on
this matter. It adopted a factual approach, where it explains that ‘the concept of controller is a
functional concept intended to allocate responsibilities where the factual influence is, and thus
based on a factual rather than a formal analysis’.28 This means that the factual circumstances in a
case must always be considered when determining whether a party is actually data controller or
processor.

This approach is apparent in the SWIFT case. Society for Worldwide Interbank Financial
Telecommunications (SWIFT) is a Belgian based cooperative active in the processing of
financial messages. It was revealed that personal data, collected and processed via the SWIFT
network for international money transfers, had been provided to the United States Department of
the Treasury (UST) since the end of 2001 on the basis of subpoenas under American law for
terrorism investigation purposes.29

SWIFT was formally considered data processor based on contractual provisions. However, it
acted – to a certain extent – as data controller. Thus, it was deemed as data controller and bore
joint responsibility with other controllers in the case.30

The SWIFT case made it clear that the contractual designation of a party as data controller or
processor is not decisive in determining its actual status. But rather, such determination must be
based on concrete circumstances.31

The GDPR

The GDPR introduces a significant change from the Directive by placing data processors under
direct regulatory responsibility for the first time - thus recognising their importance in the data
supply chain.32 Under the GDPR, a processor is liable for non-compliance and thus may be
subject to sanctions imposed by supervisory authorities such as the ICO.33

Data processors may also be held directly liable - jointly and severally with data controllers - to
pay compensation to data subjects for any damage caused by processing, including non-material
damage such as distress, but only if (i) the data processors have not complied with its obligations
under the GDPR; or (ii) the data processors have acted outside or contrary to the controller’s

28
ibid.
29
Article 29 Data Protection Working Party 01935/06/EN WP 128 Opinion 10/2006 on the processing of personal
data by the Society of Worldwide Interbank Financial Telecommunication (SWIFT) adopted on 22 November 2006
[2006].
30
ibid.
31
[n12].
32
Jenai Nissim, ‘GDPR series: practicalities of managing the controller-processor relationship’ [2017] 17 (4)
Privacy & Data Protection 3.
33
[n24].

6
lawful instructions.34 They cannot be held liable if they can prove that they are not in any way
responsible for the event giving rise to the damage.35

Nonetheless, the GDPR affirms the Directive’s factual approach by confirming that data
processor who determines the purposes and means of processing will be considered as data
controller in that respect.36 However, in comparison with the Directive, it is worth noting that
data processors under the GDPR do not have to be deemed as data controllers first in order for
them to be held directly liable.

What’s shifting?

In the performance of their service to data controller, data processors have direct obligation to
observe data subjects’ GDPR rights and to ensure that such rights are protected.37 This represents
a shift from the previous stance adopted by the Directive and the DPA 1998, under which data
processors only had direct contractual obligation to controllers and as a consequence data
subjects had direct claim only to data controllers for reason of non-compliance with data
protection obligations. Further, this development reflects one of the main objectives of the
GDPR which is to give better protection to data subjects.38

What does this particular change mean for controller-processor relationship moving forward?
The newly imposed direct obligations on the part of processors, as well as the joint and several
statutory liability status now shared between controllers and processors may well lead to stronger
contractual arrangements between both parties. It follows that data controllers must (i) ensure
that mandatory contractual clauses as provided under the GDPR are included in all contracts
between data controller and data processor; and (ii) only use data processors that are able to
demonstrate compliance with the GDPR.39

It is noted that some of the contractual requirements - for example on the requirement to
implement appropriate security measures as stipulated by Articles 28(3)(c) and 32 of the GDPR -
are derived straight from the provisions of the GDPR itself, which raises criticism on the
practicality of including such direct legal obligation into the already complex contract between
data controller and processor.40

However, as the GDPR is applicable retrospectively, data controllers and processors must ensure
that all previous and existing contracts comply with the provisions of the GDPR. Such contracts
must clearly indicate the roles and responsibilities between data controllers and processors in
order to ensure a fair allocation of liability for non-compliance.41

34
ibid. Also see GDPR, Article 82.
35
ibid.
36
GDPR, Article 28(10).
37
GDPR, Article 28(1).
38
Jenna Lindqvist, ‘New Challenges to personal data processing agreements: is the GDPR fit to deal with contract,
accountability and liability in a world of the Internet of Thing?’ [2018] 26 (1) International Journal of Law and
Information Technology 45, 55.
39
[n28].
40
[n38].
41
[n21].

7
 Conclusion

In aiming to provide better protection for data subjects, the GDPR introduces new changes by
imposing data processors with direct statutory obligations towards data subjects. Data processors
now found themselves jointly and severally liable with data controllers for non-compliance with
the former’s GDPR obligations or for acting outside the data controllers’ instructions.

This change will inevitably mean that stronger contractual arrangements between data controller
and processor that clearly allocate the roles and responsibilities of both parties are essential.
Obviously, data processors can protect themselves from liability by always ensuring compliance
with their GDPR obligations and by performing their duties within the boundaries set out by data
controller.

At this early stage, it remains to be seen how this new change will affect the implementation of
the GDPR and the DPA 2018.

8
 Bibliography

Statute

Data Protection Act 1998

Data Protection Act 2018

European Union Legislation

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and the free movement of
such data

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data

Article 29 Data Protection Working Party 01935/06/EN WP 128 Opinion 10/2006 on the
processing of personal data by the Society of Worldwide Interbank Financial
Telecommunication (SWIFT) adopted on 22 November 2006 [2006]

Article 29 Data Protection Working Party 00264/10/EN WP 169 Opinion 1/2010 on the concepts
of “controller” and “processor” adopted on 16 February 2010 [2010]

Case Law

Society of Worldwide Interbank Financial Telecommunication (SWIFT) Article 29 Data

Protection Working Party 01935/06/EN WP 128 Opinion 10/2006 [2006]

Books

Peter Carey (ed), Data Protection A Practical Guide to UK and EU Law (Oxford University
Press 2018)

Journals

Bhaimia S, ‘The General Data Protection Regulation: the Next Generation of EU Data
Protection’ [2018] 18 (1) Legal Information Management 21

Lindqvist J, ‘New Challenges to personal data processing agreements: is the GDPR fit to deal
with contract, accountability and liability in a world of the Internet of Thing?’ [2018] 26 (1)
International Journal of Law and Information Technology 45, 55

Nissim J, ‘GDPR series: practicalities of managing the controller-processor relationship’ [2017]

17 (4) Privacy & Data Protection 3

9
Van Alsenoy B, ‘Allocating responsibility among controllers, processors, and “everything in
between”: the definition of actors and roles in Directive 95/46/EC’ [2012] 28 Computer Law &
Security Review 25

Other Sources

Information Commissioner’s Office, ‘About the DPA 2018’ <https://ico.org.uk/for-

organisations/guide-to-data-protection/introduction-to-data-protection/about-the-dpa-2018>
accessed 10 May 2018

Information Commissioner’s Office, ‘Controllers and processors: What are ‘controllers’ and
‘processors’?’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general
-data-protection-regulation-gdpr/controllers-and-processors/what-are-controllers-and-
processors> accessed 24 April 2019

Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are a
controller?’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-
data-protection-regulation-gdpr/ controllers-and-processors/what-does-it-mean-if-you-are-a-
controller> accessed 24 April 2019

Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are
joint controllers?’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-
general-data-protection-regulation-gdpr/controllers-and-processors/what-does-it-mean-if-you-
are-joint-controllers> accessed 24 April 2019

Information Commissioner’s Office, ‘Controllers and processors: What does it mean if you are a
processor?’ <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-
data-protection-regulation-gdpr/controllers-and-processors/what-does-it-mean-if-you-are-a-
processor> accessed 24 April 2019

Information Commissioner’s Office, ‘Controllers and processors: What’s new under the GDPR?’
<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/ controllers-and-processors/what-s-new-under-the-gdpr> accessed 24
April 2019

10