Data controllers and processors: what are the differences ?

I. Understanding the definitions of GDPR

1. The data controller: definition and role

The Data Controller (DC) is defined in Article 4(7) of the GDPR as being «the natural person, the legal person, the public authority, the service or any other body which, alone or jointly with others, determines the purposes and means of the processing». 

It is he who decides “why” personal data are processed and “how”» they are processed. The identification of this actor is paramount, particularly for establishing its own obligations and responsibilities. 

In its guidelines, the EDPB has thoroughly analyzed this definition¹, detailing the following elements:

• It is “the natural person or legal entity, the public authority, the service or other organization” »:
  This refers to any entity, regardless of legal form, capable of assuming the responsibility for the processing of personal data. This includes both companies, public administrations, and one or more individuals. In practice, although individuals may be involved in the management of a processing, responsibility generally lies with the entity as a whole (organization, company, administration). 
• He “determines” »:
  This refers to the entity which exercises decision-making power over the processing of personal data. This implies that this entity makes essential decisions regarding how data is processed and why it is processed. This ability to “determine” the purposes and means of processing may stem from two main sources: i) In certain cases, the law confers upon an entity the responsibility to determine the processing of data. For example, a public body may be designated by law to collect and process data within the scope of its public service missions (ex : hôpitaux). ii) In the absence of legal designation, liability is attributed based on the factual and practical circumstances. Thus, an entity will be liable if it exerts influence on the purposes and means of processing. For example, a company that decides why and how the data of its customers will be used, as in the case of a marketing service, is considered a data controller.
• « solely or jointly with others »:
  These terms refer to the possibility for multiple entities to determine the purposes and means of data processing together. Thus, liability for a processing operation can be shared between several actors, each having a role to play in the decision-making process. They are known as « “Joint controllers”. They are defined in Article 26 of the GDPR and share the legal responsibility for the processing of personal data. Article 26(1) in particular requires them to transparently define their respective obligations.
  The Court of Justice of the European Union has recalled and clarified in the judgment of March 7, 2024 (IAB Europe) that even if an organization does not have direct access to personal data, it can nevertheless be regarded as a data controller as long as it influences the processing for its own purposes and therefore participates in the determination of the purposes and means of the processing.
• « the purposes and means »:
  These aspects allow one to describe why the data is collected (purposes: objectives of the processing) and how they are processed (essential means: methods and resources used to carry out this processing). The processor may not limit itself to determining solely the purpose; it must also establish the essential means to ensure the legality and proportionality of the processing. The essential means include major decisions, such as the type of data collected, their retention period, or the categories of persons concerned. Conversely, means qualified as “non-essential” may be left to the discretion of the subprocessor, such as the choice of tools or specific security measures.
• « of the processing »:
  This term refers to operations performed on personal data (e.g: collection, use, transfer, deletion, storage, modification, extraction, cross-border transfer, etc.). A controller may be involved in one or more operations and its control may extend to the entire processing or be limited to a specific stage. Even without access to the data, an entity may be liable if it determines the purposes and means of processing.

The main obligations of the data controller are: 

In accordance with Article 5(2) and Recital 74 of the GDPR, the RT is subject to a principle of “liability” which obliges it to continuously ensure compliance with the principles and obligations of the GDPR. He must be able to demonstrate this compliance, including during inspections by competent authorities (ex : CNIL).

2. The Subcontractor: Definition and Role

The “Subcontractor” » (ST), as for it, it is defined by Article 4(8) of the GDPR as being« the natural person, the legal person, the public authority, the service or any other entity which processes personal data on behalf of the data controller ».

Unlike the data processor, the sub-processor is a distinct entity that does not have determining authority over the purposes and means of the processing. Its purpose is to carry out one or more processing operations on behalf of and according to the instructions of the data controller.

For example, a healthcare organization (RT) maintains medical records containing sensitive patient data. It subcontracts the maintenance and management of its IT systems to a private IT services company (ST) to ensure data security (example: managed services).

• An entity within a corporate group can be ST of another entity within the group which is RT, as the two entities are distinct. However, a service of one entity cannot be ST of another service within the same entity².
• Personnel, employees, temporary workers and other natural persons acting under the direct authority of an RP shall not be considered ST of the RP³.

Article 28 GDPR⁴ require that the relationship between the RT and the ST be governed by a written contract, which defines the instructions that the ST must follow, the obligations it must respect, the object of the processing, the nature and purpose of the processing, as well as the type of personal data and the persons concerned, etc. 

Examples of obligations of the ST:

II. GDPR compliance stakes and case studies

1. The distinction between RT and ST: a key to GDPR compliance

The distinction between RT and ST is fundamental as it allows for the definition of the responsibilities and obligations of each stakeholder, directly impacting data management, security, and individual rights.

Liability may be shared in case of non-compliance, both parties may be held liable, which exposes them to sanctions. Thus, a poor qualification of roles may lead to disputes and breaches of GDPR obligations, particularly in the area of security.

It is therefore necessary to proceed in three stages: 

• To rigorously analyze the roles by examining them on a case-by-case basis, in order to clearly identify the roles of RT and ST, as well as their respective responsibilities ;
• Formalize the relationships at a later stage through the drafting of a contract or the insertion of an “RGPD” clause into an existing contract. The aim being to explicitly define the roles, obligations and responsibilities of each party involved ;
• Finally, conduct regular checks/audits/inspections throughout the contractual relationship to ensure the effective fulfillment of obligations by the ST.

2. Data breach: the case of DEDALUS BIOLOGIE and its liability as a subcontractor

February 23, 2021⁵, the company DEDALUS BIOLOGIE has been the victim of a personal data breach affecting nearly 500,000 people. The compromised data included sensitive data (names, first names, social security numbers, names of prescribing physicians, dates of examinations, as well as medical data: HIV, cancers, genetic diseases, pregnancies, medications followed by patients and genetic data).

On February 24, 2021, the CNIL launched several audits, including those targeting DEDALUS BIOLOGIE, which markets software solutions for medical laboratories as a subcontractor.

Following its inspections, the CNIL concluded that DEDALUS BIOLOGIE had infringed several obligations provided for in the GDPR, in particular :

• During the migration of a software to a new tool requested by two laboratories, DEDALUS BIOLOGIE, in its capacity as ST, had not complied with the instructions of the latter and processed data beyond what was necessary ;
• The company had not implemented sufficient measures to ensure the security of personal data. No specific procedures for data migrations were in place, the data stored on the server was not encrypted, there was no automatic deletion of data after its migration to the second software, no authentication was required to access the public area of the server and several user accounts were shared between several employees on the private area of the server. Furthermore, there was no procedure for the management and escalation of security alerts.
• The terms and conditions of sale offered by the company did not include the provisions required by Article 28(3) of the GDPR.

3. Key takeaways :

• Subcontracting is a key element of GDPR compliance and its oversight is indispensable. It is crucial to include a detailed and comprehensive GDPR clause, while ensuring that it is actually enforced. Indeed, in practice, contracts or GDPR clauses alone are not sufficient to ensure optimal compliance. They must be accompanied by proactive actions of inspections and audits carried out by the Data Protection Officer (DPO) on their Subcontractor (ST) to verify compliance with contractual obligations, including in terms of data security. Regarding this, the CNIL requires control « satisfactory and regular » of these measures.
• Prior to the entry into force of the GDPR, Article 35 of the Act on Informatics and Liberties (LIL)⁶ left little responsibility on the Group in the determination of data security measures. Indeed, it had to « to provide sufficient guarantees to ensure the implementation of security and confidentiality measures ». Thus, the responsibility of ensuring compliance with security measures primarily fell to the DPO. Furthermore, articles 28 and 32 now require that « The data controller and the subprocessor implement appropriate technical and organizational measures in order to ensure an adequate security level to the risk ».

Conclusion : Anticipate risks, ensure compliance

The correct classification of roles between data controller and data processor constitutes a cornerstone of GDPR compliance. Beyond the text, it is in concrete implementation – drafting contracts, documentation, controls, audits – that the effectiveness of personal data protection is realized. Each actor, public or private, must be able to demonstrate that it complies with the essential principles of the GDPR, including within the framework of complex or cross-border contractual relationships.

At Aumans Avocats, we assist companies, associations and public institutions in the analysis, securing and legal structuring of their data processing operations. We intervene alongside you to draft or review your outsourcing contracts (Article 28 GDPR), clarify your responsibilities or assist you in the event of a CNIL inspection or dispute relating to data protection.

Contact us to benefit from personalized support regarding GDPR governance.

Sources:

1. https://www.edpb.europa.eu/system/files/2023-10/edpb_guidelines_202007_controllerprocessor_final_fr.pdf – EDPB, Guidelines 07/2020 concerning the notions of data controller and data processor within the GDPR ↩︎
2. Ibid, p29, pt 77, « Within a group of companies, one may be the processor of another acting as the data controller, given that the two companies are distinct entities. Conversely, a service of a company cannot be the processor of another service within the same entity. » ↩︎
3. Ibid, p29, pt 78, « Employees and other individuals acting under the direct authority of the data controller, such as temporary staff, are not considered subcontractors as they process personal data within the context of the data controller’s entity » ↩︎
4. https://eur-lex.europa.eu/eli/reg/2016/679/oj?locale=fr – General Data Protection Regulation (GDPR), Article 28 ↩︎
5. https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000045614368 – CNIL, Decision SAN-2022-009 of April 15, 2022 (DEDALUS BIOLOGIE) ↩︎
6. https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/ – Law No. 78-17 of January 6, 1978 concerning computers, files and liberties (LIL) ↩︎

• https://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32014R0536 – Regulation 536/2014 of April 15, 2014 concerning clinical trials of medicinal products for human use
• https://www.sante.fr/les-intervenants-dans-un-essai-clinique-une-multiplicite-dacteurs-au-service-de-la-recherche – Ministry of Health, Participants in a Clinical Trial. A Multiplicity of Actors in Service of Research
• https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_opinionctrq_a_final_en.pdf – EDPB, Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art. 70.1.b)), “The EDPB is of the opinion that the processing operations expressly provided by the CTR and by relevant national provisions, and which are related to reliability and safety purposes, can be considered as falling within “legal obligation(s) to which the controller is subject” under Article 6(1)(c) of the GDPR
• Ibid, “Processing operations purely related to research activities in the context of a clinical trial cannot, however, be derived from a legal obligation. Depending on the whole circumstances of the trial and the concrete data processing activity, research related activities may either fall under the data subject’s explicit consent (Article 6(1)(a) in conjunction with Article 9(2)(a)), or a task carried out in the public interest (Article 6(1)(e)), or the legitimate interests of the controller (Article 6(1)(f)) in conjunction with Article 9(2)(i) or (j) of the GDPR.”
• https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000037187498 – Resolution No. 2018-155 of May 3, 2018 concerning the approval of MR-004
• https://www.cnil.fr/fr/declaration/methodologie-de-reference-04-recherches-nimpliquant-pas-la-personne-humaine-etudes-et-evaluations-dans-le-domaine-de-la-sante – MR-004