There’s an important distinction in EU data privacy law between what are called data 'controllers' and data ‘processors’. This has wide reaching implications for how national legislation applies to those who handle personal data and, by extension, how they approach compliance.

A ‘controller’ is a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes for, and the means of, processing personal data. In practice, the status of controller turns on the ability to decide how personal data is being collected, stored, used, altered or disclosed. If this is exercised jointly by different entities then they will be regarded as joint controllers. A 'processor' is a person (other than an employee of the controller) who processes data on behalf of a controller.

The fundamental point is that the controller (rather than the processor) is responsible for complying with the national laws implementing Directive 95/46/EC across the EU. As part of these obligations it's the controller's responsibility to ensure that a written contract governs its relationship with any processors and that processors comply with the data protection obligations set out in that contract.

So, in an outsourcing relationship for example, the customer will usually be the ‘controller’ and the supplier the ‘processor’. This has two practical implications:

1. 1.The outsourcing contract may be silent about the roles of the parties in relation to data processing, but their respective obligations should be consistent with the customer exercising a dominant role in determining the purposes and means for which processing takes place. If this isn’t clear in the contract the line between controller and processor will blur, creating compliance risk for the supplier and commercial risk for the customer.
   

2. 2.The Directive expressly states that the carrying out of processing by way of a processor must be governed by a contract binding the processor to the controller and stipulating that: (a) the processor will act only in accordance with the controller’s instructions; and (b) the processor will implement appropriate security measures.
   

Of course modern data processing is rarely limited to a straightforward relationship between two parties. Within a corporate group, operating companies in different countries will often rely on a third group entity to procure data processing services. This third entity will appoint a service provider as a prime contractor and the service provider will probably then in turn subcontract some of those services to other entities within its corporate group or to third parties. These arrangements have important data protection implications and normally result in a chain of agreements where the different parties are required to flow obligations down the chain. In this situation, whilst it’s not necessary for the controller to define and agree in detail the means of processing used, the customer should normally be informed of the main elements of the processing structure, so that it remains in control.

There is also the related matter of data processing by organisations outside the customer's home jurisdiction. I will look at this in a later post.