Scope

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 13-22

13

scope

Q.13 cAn A seRVIce pRoVIDeR BecoMe A

“contRoLLeR”?

Yes.

It is a common misconception that all service providers are considered

data “processors.”

As is discussed in Q 3, “processing” encompasses a broad range

of activities. If a company is retained to conduct any of those activi-

ties on behalf of a controller but retains the ability to “determine the

purpose and means of the processing” then it would be considered a

“controller” or a “joint controller” under the GDPR. As an example, if

company A hired marketing company B to collect personal data about

prospective customers of company A but then permitted company B

to decide how long that data was kept and whether to use it for other

customers, company B would be considered a “controller” despite the

fact that its processing was conducted (at least originally) “on behalf

of” company A.

Q.14 Does tHe GDpR IMpARt tHe sAMe

ReQUIReMents on contRoLLeRs AnD

pRocessoRs?

No.

Some requirements within the GDPR apply equally to controllers

and processors, such as the obligation to take steps to secure data.32

Other requirements only apply to controllers, such as the obligation to

provide individuals about whom information is collected with a privacy

notice,33 the obligation to respond to individuals’ requests to access the

personal data that a company maintains about them,34 and the obligation

32. GDPR, Article 32.

33. GDPR, Article 13, 14.

34. GDPR, Article 15.