Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

14) Does your organisation process personal data on behalf of another organisation?

August 30, 2022

Answer yes if your organisation processes personal data on behalf of another organisation where they are the data controller and you are the data processor.

The GDPR and other data protection regulations across the world outline different obligations depending on your organisation's role in relation to the personal data that you process.

You can be a data controller, a data processor or a joint controller. You may take on different roles for different data sets.

The key question to ask yourself to work out whether you are a data controller or a data processor is: who determines the purposes for which the data are processed and the means of processing?

If this is you, you are likely the data controller. If this is not you, you are likely the data processor, processing that data on behalf of another party.

If you are a data processor, you must only act upon the instructions of the data controller and must make sure you have provisions in place to allow them to fulfill their obligations as a controller; this could be to allow them to determine retention rules, fulfill subject access requests, stop or change the means of processing etc. The next two controls ask about these specific obligations.

We recommend you read the ICO's guidance on data controller's and processors, here.

How to implement the control

This question is informational to help your clients understand whether you act as a data processor for any other organisation's personal data.

Answer yes if you process personal data on behalf of clients or other organisations. This means you process the data, but you do not make decisions about how or when to collect the data, what the data should be used for or how long to retain the data.

You can be both a data processor and a data controller for different data sets. You should answer yes if you act as a data processor for any personal data, regardless of whether you are also a controller or not.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.