Reflecting back on my post from Friday on joint controllers, I thought it might be useful to reflect on a couple of instances where your data processors might also be controllers. These are situations where you would probably just think about getting Data Processing Agreement in place, but you should really think about whether you might also need to have a Joint Controller Agreement in place.
You may hare personal data with:
The professional service providers have in common a code of conduct ensuring confidentiality of communications with their clients. In almost every instances, if you have passed along personal data to any of them as a result of a request from your client then they will also be assuming a controller relationship with your client.
Businesses often contract some of their marketing activities or marketing research to an agency. When doing this, the agency is often processing personal data on behalf of the business. In most cases they will be a processor. Actually it depends on the brief you’ve given them. If they have the freedom to decide which of your customers to contact customers and what information to collect from them. At that point, they’re becoming a controller of that information even if you remain in control over the work you’ve asked them to do. Make sure you don’t just assume your marketing agency is a processor – have a close look at what you’re actually asking them to do.
They can be more difficult. Here the rule is basically to understand exactly what data collection is being undertaken by the IT service provided. If the IT service provider is using technology to track and monitor individuals either their physical or their digital presence then they’re most likely a processor and a controller. A processor because you’ve asked them to provide the service. A controller because they’re using their own technology and are making a determination as to what data they are collecting and how they’re collecting it.
Almost all online retailers work with a third party like Square or Aden to process their customers’ online payments. The payment company is not a processor. They are a controller because they stipulate to you what information your customers need to provide to them and they have their own legal requirements to fulfill in terms of retaining and collecting the data. The upside is you don’t need to have a Data Processing Agreement in place with your payment provider. So this doesn’t strictly fit my list, but I wanted to call it out.