Legal Concepts

  • Contractual clauses can represent who has a decision-making power with regard to the purposes and means of processing. However, a contract must not allow the parties to assign responsibility at their own discretion. The actual responsibilities must be reflected in the contract and are crucial in determining the roles. A controller cannot evade its responsibility simply by drafting the contract in a certain way if that does not reflect the actual circumstances.
  • One and the same body can therefore simultaneously act as controller for certain data processing and as a processor for other data processing.
  • A data processor can make decisions regarding "nonessential" means. "Essential means" are closely related to the purpose and scope of the processing and are in principle reserved for the controller. Examples of essential means are the type of personal data that is processed, the duration of the processing, the categories of recipients and the categories of data subjects. "Nonessential means" relate more to practical aspects of implementation such as the choice of specific hardware or software or detailed security measures, decisions that can be left to the processor, unless these are specified in the contract for order processing.
  • The concept of "data controller" can apply either to a single processing operation or to a series of operations. The responsibility can therefore extend to the entirety of the processes in question, but it can also be limited to a specific section
  • A body is only to be regarded as jointly responsible with the other body(s) with regard to those processes for which it actually determines the means and purposes of processing together with others. If another body alone decides on the purposes and means of processes that precede or follow the processing chain, it must be viewed as the sole responsible party.
  • Someone who outsources a processing activity can also be regarded as a controller if it exercises a decisive influence on the purpose and the (essential) means of processing (e.g. by setting parameters that influence the question of whose personal data should be processed), even if it never actually has or will never actually have access to the data.
  • Joint responsibility can arise, for example, through joint decisions or converging decisions by two or more offices. Joint decisions are made together with a common intention. With converging decisions, the respective decisions complement each other in such a way that processing in the desired sense would not be possible without the participation of both parties
  • The decisive factor in whether a user of a platform is a data controller is whether the users of the system can decide about settings in such a way that they have a decisive influence on data processing
  • In so-called chain processing, i.e. when different actors process the same personal data one after another, the following applies: If each of these actors pursues independent purposes in “its” part of the chain and uses independent means, there is no joint responsibility. The actors are then rather successive, mutually independent responsible persons

Consequences of Shared Responsibility

  • The EDPB recommends that all jointly responsible parties conclude a legally binding document that sets forth who performs which tasks. Only then does liability arise from the person who may not adhere to the agreement. In addition, a binding agreement on joint responsibility has the advantage that the parties can prove that they are complying with the obligations under the General Data Protection Regulation. This is how they do their accountability.

Data Processors

  • The two basic requirements for being a processor are: 1) The processor must be a separate entity from the controller and 2) it must process personal data on behalf of the controller

Data Processor Obligations

  • Ensure that the persons authorized to process the personal data have committed themselves to confidentiality (Article 28 Paragraph 3 letter b).
  • Keep records of all categories of processing activities(Article 30 (2)) 
  • Implement appropriate technical and organizational measures (Article 32).
  • Appoint a data protection officer under certain conditions (Article 37).
  • Notify the controller immediately if it becomes aware of a data breach (Article 33 (2)).
  • The other requirements of Article 28 Paragraph 2 a) to h) General Data Processing Regulation (GDPR) must also be observed.
  • The regulations on the transfer of data to third countries (Chapter V) apply to processors in the same way as to controllers.

Data Processing Addendum

In order to be legally binding, an Article 28 Data Processing Addendum (DPA) should not only reflect the GDPR, but contain targeted and specific information on how the requirements are met and what level of security is required for processing the personal data concerned.

Data Subject Requests

  • In some cases of data subject requests, it may be sufficient to simply forward every application received immediately. Under certain circumstances, however, the processor will also be entrusted with more specific technical tasks, especially if it is able to extract and manage the personal data. The details of the support to be provided should therefore be included in the DPA or in its annex.
  • The practical management of individual requests can be outsourced to the processor. However, the data controller is always responsible for performing such tasks.

Data Breach Notification

The data processor must assist the data controller with data breach notification. To this end, controller and processor should agree to a specific timeframe for the report (e.g. number of hours) and specify the contact point for such reports in the engagement agreement.


The form as well as any specific criteria that the controller requires for the selection of sub-processors should be set out in the DPA. In addition, a list of approved sub-processors should be included in the agreement or an annex thereto and kept up to date.


The processor is only liable in the event of a breach of obligations imposed by the GDPR (see above) or if it does not comply with lawful instructions from the controller. The duty to support the controller does not mean a shift in responsibility, it remains with the controller.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the GDPR Compliance & International Privacy Practice. For questions about this alert or assistance with controller-processor questions, contact Odia at [email protected] or 215.444.7313.