To be or not to be (a processor). That is the question.


In the case of a service provider that is not contracted by a controller to process personal data on its behalf but may gain custody of the controller’s personal data incidentally to the core services provided, should a contract with the controller-processor clauses required under GDPR Article 28 be drawn up?

In the run-up to the GDPR date of 25 May 2018, many of us received email requests to consent to processing – mostly to opt in to direct marketing. Many organisations also faced a wave of contract addenda adding new “GDPR clauses” to existing contracts because they were considered processors. 

In many cases, the addenda were necessary to comply with Article 28 of the GDPR. However, some service providers were overwhelmed by the sheer volume of clauses in these addenda in the context of the limited processing of personal data that was carried out.

There has been detailed analyses published to determine in which circumstances a service provider should be considered a controller or a processor. The Working Party 29 opinion  of 2010 is a definitive reference. However there are cases where the controller is contracting a service provider for services that do not involve “data processing” but during the provision of the service, there may be instances where personal data may be “processed” under the GDPR definition of “processing”.

An example is an IT hardware supplier who may be required to patch a router or a server or to carry out a repair or to trouble-shoot a fault. The supplier would be granted access to the device. In some cases, the supplier will need to take custody of the device. If the device stores any personal data, the supplier may be “processing” since the GDPR definition of processing includes “storage”.

The objective of the processor obligations under the GDPR are there to "avoid situations whereby processing by a third party on behalf of the controller of the file has the effect of reducing the level of protection enjoyed by the data subject." [Council of Europe Convention 108 ] To this end, in the scenario of the IT supplier, the mere custody of a device is enough to imply an obligation to safeguard that device against damage, theft or misuse. That obligation is not dependent on the case where it contains personal data. If it did, the consequences of theft or misuse would have more significant consequences than if it did not.

In the example, whether there should be controller-processor contract clauses with the IT supplier could hinge on whether the IT supplier gets custody of the device or when he is asked to perform some service that falls within the GDPR definition of “processing”. In practice, what often happens is that those clauses do get included is maintenance contracts or in the small print of a service sheet “just in case”. 


Article provided by: George Sammut - Founder/Member, Malta IT Law Association


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö


What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.