<iframe src="//www.googletagmanager.com/ns.html?id=GTM-5T7PGR" height="0" width="0" style="display:none;visibility:hidden">


Simple in Theory, Complex in Practice: The dual role as controller and processor under the General Data Protection Regulation

Posted by on 24 May 2018

Outsourcing of certain business processes is standard for most companies these days, even for small and mid-size companies. Through outsourcing, business processes within a group of companies can be handled efficiently or access to an advanced IT infrastructure can be made possible. Outsourcing usually involves transferring personal data, such as employee data, customer data or supplier data. The outsourcing provider is a processor, the outsourcing customer is a controller. So far so good. But what if the provider uses the data for its own purposes too? And what if the customer is told what to do by the processor when processing the data? This article explains on which basis the individual roles of controller and processor can be determined taking into account the EU General Data Protection Regulation (GDPR).


Looking at the Regulation

Article 3 of the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR" or “Regulation”) gives the Regulation extraterritorial scope. Accordingly, it applies (i) to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and (ii) to the processing of personal data of data subjects who are in the union by a controller or processor not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Consequently, the GDPR is also relevant for many companies outside of the Union e.g. in Switzerland.

First Step to Comply with the Regulation

The first step to complying with the Regulation is to define a natural or legal person's role under the Regulation; controller or processor, or in some cases, both. Only with a clear determination of the role, can an assessment of the rights and obligations for that particular legal or natural person be made.

The controller is the contact person of the data subjects and is responsible for ensuring their rights laid down in the Regulation are respected. An involvement of a third party for the processing does not change this. Rather, the controller has further obligations if it involves a third party.

For example, the controller must ensure that the processing by a processor is governed by a contract or other legal act that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller as further stipulated in article 28 GDPR. Drafting of a GDPR compliant data processing agreement is not rocket science. Article 28 para 3 stipulates all duties and obligations that must be covered by a processing agreement.

Pursuant to the Regulation, the controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data and the processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. These definitions are well understandable. The controller collects personal data for a specific purpose and passes it on to the processor for processing on its behalf for the same purpose. In practice, however, the allocation is not always that simple. For example, consider the following situations:

  • A medical devices manufacturer sells its devices to an importer, which resells the devices to distributors and device user facilities such as hospitals. In some jurisdictions, the manufacturer, the importer, the distributor and the device user facilities each separately have a reporting obligation in case of malfunctioning devices. The obligation itself, the required information, in particular personal data, however, may vary. All repairs and warranty work are carried out by the manufacturer irrespective of the reporting obligations (complaint handling services).
  • A financial service provider is distributing shares in collective investment schemes on behalf of a fund and is therefore collecting personal data of investors. The service provider is subject to certain reporting duties such as e.g. anti-money laundering laws.
  • A bricks-and-mortar business wishes to set up a portal to enable internet users to register for a competiton. For this purpose it engages an external provider to run the registration process. The external provider dictates what data is to be provided, the terms on which it will be processed and for what purposes the data is to be used.

Determine the Role of Each Party

As mentioned above, article 4 (7) of the GDPR stipulates that the controller is the natural or legal person which determines the purposes and means of the processing of personal data. Accordingly, first you need to look at the purpose for which the personal data is collected and second to clarify who determines this purpose and the means of processing of personal data. Coming back to the examples, this means:

  • Where (a) the medical devices manufacturer alone has a reporting obligation: the medical devices manufacturer acts as controller of the personal data required for the reporting obligation and as processor of further personal data for complaint handling services (assuming that the products are not sold directly by the manufacturer); and the importer, the distributor and the device user facility act as controller; and (b) the medical devices manufacturer and the importer, the distributor as well as the device user facility each have a reporting obligation: the manufacturer acts as processor for fulfillment of the importer’s, the distributor’s and the device user facility’s reporting obligation and as controller for the fulfillment of its own reporting obligation; and the importer, the distributor and the device user facility act as controller.
  • For the personal data required for the service provider's compliance with the reporting duties pursuant to financial market laws, the service provider is controller and (if the fund also requires such personal data as part of the provision of the services by the service provider) the fund is also controller. If the service provider is collecting further personal data that goes beyond the personal data required for its reporting obligations, for such data, the service provider is acting as processor and the fund as controller.
  • For the data collected by the online portal, the bricks-and-mortar business operating the portal is controller. It outsources a part of the function of the portal to a service provider, but the service provider determines the purposes for which it may use the data, typically in general terms and conditions that cannot be amended. Both provider and customer are controllers. To the extent the service provider requires the customer to process the data in certain ways on its behalf, the customer is also a processor. This may be the case for many online-advertising an analytics provider.

As shown in this article, determination of the roles between two parties in connection with processing of personal data needs to be carefully analysed in each individual case.


If you liked this article, you might also be interested in reading more from the same series:

Check for GDPR compliance and receive a customised list of next steps for free, by Nicola Benz and Ronald Kogens


Stay on top of the latest legal topics and subscribe to our blog here:



Topics: Data Protection

Name 13

Nicola Benz

Nicola Benz’s practice is focused on technology and life sciences transactions. She assists technology companies of all sizes, from start-ups to established players, as well as investors, suppliers and customers across a broad range of industries and sectors. Nicola Benz’s expertise covers outsourcing, licensing, joint ventures and collaborations and associated intellectual property issues. She also has considerable experience advising on all types of commercial contracts, competition and regulatory issues and data protection. Nicola Benz is recognised as a globally leading patent and technology licensing lawyer, as well as a leading practitioner in the field of intellectual property. Chambers Europe (2018) ranked her as leader in the fields of Intellectual Property and Life Science, and she was recommended in the 2018 edition of the Legal 500 EMEA for Intellectual Property as well as TMT matters. She has also been named as a thought leader for data law in the publication "Who's Who Legal 2018". Born in Scotland, Nicola obtained her law degree from the University of Edinburgh (LLB Hons) in 1997. She joined our firm as an associate in 2002 and became a partner in 2010. Since 2017 she has been the managing partner of our firm. Her working languages are English and German. Nicola is a member of the Zurich Bar Association, the International Trademark Association (INTA), the Licensing Executives Society (LES) and the International Technology Law Association (iTechLaw).

Connect with me:
Name 13

Ronald Kogens

Ronald Kogens’s practice is focused on disruptive technologies. He advises Swiss and international clients as well as public entities in corporate and technology-related transactions. Ronald Kogens has in-depth knowledge of IP/IT law, in particular licensing of IP-rights, IP-transaction, financial market and contract law. He is an expert in the field of blockchain technology, crypto-currencies and crypto-tokens. He joined Froriep in 2017 as an associate and became partner in July 2019. Before that he worked for a major global consulting firm. He was also part of the legal counsel team of a public listed pharmaceutical company at the headquarters in Switzerland and worked for its subsidiary in the United States. Ronald Kogens graduated in law from the University of Lucerne in 2011 and was admitted to the St. Gallen Bar in 2012. In 2016 he was awarded a Master of Laws (LL.M.) in business law from the Chapman University, California, United States. His working languages are German and English.

Connect with me: