This blog was written by Johannah Palmer, Edgecumbe’s Data Protection Officer and Information Security Administrator. This is the fourth blog in our GDPR series. In blog #1, we highlighted a range of things you need to consider when using psychometrics for employment purposes. Blog #2 explored why you must treat psychometrics as special category data and the implications for HR professionals. Blog #3 explored how to deal with the security of psychometric data. In this blog, we will delve into the roles of Controllers and Processors.

Establishing whether you are a Controller or Processor is not as straightforward as it might first seem. Controllers bear the ultimate responsibility for compliance under the UK GDPR, so it is important to recognise when you hold that responsibility. Here we set out a summary of recent guidance from the ICO (UK) and the European Data Protection Board (EDPB).

Controller or Processor?

Under GDPR, the concepts of Controller and Processor are functional concepts that determine responsibilities based on the actual roles of the parties involved. This means that their legal status is determined by their activities, not how they are designated in a contract, and that the allocation of roles is not negotiable.

Controllers are people or organisations that alone or jointly with others determine the purpose and means of processing personal data: they decide why and how the data is processed. Conversely, Processors do not determine the purpose or the means of the processing. They act on behalf of the Controller and follow their instructions and arrangements.

Processors do not have their own purpose for processing the data, and they do not decide the means of processing, the lawful basis for data use or the duration of data retention. If Processors act without instructions, they are determining a new purpose or means of processing, which means that they become Controllers and assume the liabilities associated with the role for that processing.

In practice, it is not always easy to know when a Processor has strayed beyond the bounds of what is determined by the Controller. Recent guidance from the ICO and EDPB helps to clarify matters by distinguishing between essential and non-essential decisions.

The Controller is tasked with making ‘essential decisions’; these cover the purposes and scope of processing, the objectives and extent of processing, and assessing its necessity and lawfulness. Essential decisions include defining the types of personal data processed, the duration of processing, the categories of personal data involved, and the recipients of the data. For psychometric data, determining lawfulness includes identifying an appropriate exception under Article 9 for processing special category data.

Non-essential decisions’ are those that do not fundamentally affect the purpose and means of processing. These decisions are typically delegated to the Processor. This is often important where there are technical considerations which the Controller may not fully understand, such as specific security measures, specialist technology or systems, and other operational details that do not significantly affect the fundamental purpose and scope of the processing.

Consequently, the Controller may give Processors significant leeway to exercise their expertise in determining how to do the processing, referred to as “non-essential means.” This level of flexibility is now explicitly recognised by both the ICO and EDPB.

In summary:

  • Controllers are people or organisations that alone or jointly with others determine the purpose and means of processing personal data: they decide why and how the data is processed. They are tasked with making ‘essential decisions’ about the type of data, how it is used, etc.
  • Processors do not determine the purpose or the means of the processing. They act on behalf of the Controller and follow their instructions and arrangements. Processors are tasked with making non-essential decisions’ that do not fundamentally affect the purpose and means of processing.
  • The boundary between essential and non-essential decisions needs to be considered as part of data processing in order to determine the point at which the responsibilities of Controller and Processor meet. Legally, responsibility lies where the decisions are made, regardless of what it might say in a person’s contract.

If you would like to learn more about the ways in which we support organisations , please get in touch via our website or by emailing us at enquiries@edgecumbe.co.uk. We are planning an HR webinar in September and would love to tailor this to the requirements of our audience. If you would like to tell us about the topics you would be most interested in hearing about, please state your preferences here.

Our blog series continues….

In our next (and final blog in this GDPR series) we will explore the fascinating topic of profiling and automated decision making. We will outline the rules governing these practices and shed light on the associated risks.