Available at a fixed monthly cost

Get your quote today

What we offer at a glance

  • Get an external data protection officer
  • Audit of your data privacy status quo
  • GDPR support for small businesses and large corporations
  • Personal contact person & individual support
  • Easier communication with authorities
  • 100+ experts from the fields of law, economics & IT

Don't trust us, trust them:

Jedox  Logo Contact Demodesk Logo Contact Elevate Logo Contact Canon  Logo Contact CBTL Logo Contact Alasco  Logo Contact RightNow Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact

Learn more about our prices & services

or call us now: (020) 36956 452

Data controllers and processors: Liability roles in Data Protection

Lucian-Gabriel Burcea, one of our UK privacy experts, was invited to speak at the International Data Transfer & Compliance Virtual Summit on March 30, 2021. The summit is popular amongst privacy practitioners and enthusiasts. This article is based on Lucian-Gabriel Burcea’s speech, where he spoke about roles and responsibilities of data controllers and data processors and the direct obligations on data processors in binding contracts. Due diligence on vendors and other third-party services is illustrated, as well as the non-transferrable liability within contracts under the GDPR and its implications.

What you need to know in a nutshell

  • A data controller determines how personal data is processed, the data processor acts on behalf of the data controller
  • For data processors there are specific obligations in regard to personal data
  • International data transfer rules must be considered for compliance
  • Sub-processors should not be authorised without authorisation of the data controller
  • Sub-processors can also be held liable for non-compliance

In this article

Roles and responsibilities of a Data Controller: The fundamentals

Data controllers and data processors are both important terms which define the role of an organization in a data processing relationship. A data controller is a person or organisation who determines the purposes and ways in which personal data is processed. The data processor, however, is anyone who processes personal data on behalf of the data controller.

Often, a data controller will carry the primary responsibility to uphold and apprehend data protection principles. It is the primary responsibility of a data controller to implement safeguards to protect the processing of personal data from participating parties and individuals. Data controllers could also be held liable to data subjects for any non-compliance of a data processor.

Thus, data controllers are expected to work with data processors who have the appropriate technical and organisational measures in place to comply with the data protection law. Processors, however, are also expected to follow relevant guidelines to demonstrate their own compliance with data protection law, as well follow the processing instructions received from the data controller.

Direct obligations of Data Processors

Data Processors have specific and direct obligations in regard to personal data. At all times, they must enter into binding contracts with the data controller to maintain data security and implement adequate technical and organisational measures. Their work must evidence accountability, and they need to be prepared to be audited at any given time.

The International Data Transfers rules must also be considered for optimal compliance. In particular, if a Processor’s duties are outsourced and the outsourcing service is based out of the UK or EEA, they must be prepared to demonstrate that the correct safeguard are in place to secure the personal data whilst is being processed in a third country. Processors must follow the instruction of a data controller unless data protection infringements have otherwise been identified and communicated to the data controller.

In some cases, processors might engage sub-processors, and therefore, it is advised that data processors do not engage sub-processors without the controller’s authorisation, unless otherwise stipulated in the contract. When sub-processors are involved, the data processor is fully liable to the Controller for the sub-processor’s compliance, and under Article 82(5) of the UK GDPR, if a sub-processor is at fault, the data controller may claim back compensation from the data processor for their sub-processor’s failings.

If you want to watch the whole speech, just click on the button, and you will be forwarded to it.

Watch the video

Can a processor be held liable for non-compliance?

A data processor could be liable for breach of contract if the event of failure to comply with the instructions imposed on by the data controller and with the contractual terms agreed with the controller.

In cases of failure to comply with the law, the data processor will be subject to investigative and corrective actions taken against them – such corrective actions may impose administrative fines, including any other penalties.

Finally, the Data Processor can face legal claims filed against them by any individual whose data they process. For example, Article 82 of the UK GDPR imposes liability to pay compensation for any distress or non-material damage caused to the individual.

Data processors should keep in mind that if they begin to determine the means of the processing, they will be considered a controller in respect to that processing.

Sub-processors liability for non-compliance

Sub-processors may also be held liable when they fail to comply with any legal obligations imposed on data processors. They may also be held liable if they act above and beyond the Data Controller’s instructions.

Data processors are to be held liable to the data controllers for a sub-processor’s shortcomings. Under Article 82(5) of the UK GDPR, the data controller can claim compensation from the processor for any failures of the sub-processor. The sub-processor itself also has contractual obligations to the Data Processor where a sub-processing contract is established.

The processor must impose the same data protection obligations as set out by the controller. In the subprocessing contract, the processor should establish instructions they receive from the controller.


Due diligence in services

Another important topic in data protection is the due diligence in services, an area in which parties often fall short. Like any other commercial relationship, a due diligence process should be carried out before engaging any third party and wherever the processing of data is involved.

Such due diligence processes should answer:

  • What is the vendor’s market reputation?
  • Where is the vendor based?
  • What is the vendor’s proximity to the individuals?
  • What financial resources does a vendor have

Usually, organisations will create vendor risk assessments, which assess the privacy program of the vendor. Assessments also help the contracted party identify any areas of risk and concerns. Such risks can be anything from packing, theft and unauthorized access, and misuse of data.

By the way: If you want to assess your own business in terms of the ISO 27001 certification, which plays an important role also in a Due diligence process, feel free to use our free readiness assessment.

Once a list of risks has been compiled, a data protection impact assessment may as well be carried out to understand the level of risk and find ways for risk mitigation.

In cases where a Data Controller wants to engage a Data Processor who has had multiple data breaches in the past few years, the Data Controller may wish to implement stricter instructions on that particular processor. These include strict technical and organisational measures that are to be regularly reviewed by the Controller itself.

A data protection assessment should ask questions to assess the risk appetite of third parties such as:

  • Does any part of the processing pose risks of non-compliance with the UK GDPR and Data Protection Act 2018?
  • Who is responsible for these areas of non-compliance?

There are often consequences for misjudging risks, including high costs and losses. Consequences include statutory compensation, regulatory actions carried out by the ICO and actions brought in by other regulatory bodies. Such bodies include the Financial Conduct Authority or the Gambling Commission for anti-money laundering and data protection due-diligence checks.

Mind the contract

Liability in the contract between a Controller and a Processor is not transferable. A Data Processing Agreement is a legally binding contract and may include limitations of liability and indemnity terms. However, under the UK and EU GDPR, it is impossible to relieve either party of their legal responsibility. If personal data is not lawfully processed, the individual has a legal right to compensation.

It is important to highlight that there are no circumstances under which a Data Controller can exclude liability to an individual or a supervisory authority and this is also applicable where an incident occurs from a data processor’s fault.

Do you have unanswered questions about Data Controller or Data Processor? Don't hesitate to reach out to one of our experts for a free consultation.

Book an appointment


Image CTA Expert Male 1

Are you looking for GDPR compliance?

Learn how we can help you overcome the GDPR compliance challenges. At DataGuard, our certified experts are happy to help and meet you on equal footing. Get to know us in person.