Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR

Hintze, Mike

doi:10.2139/ssrn.3192721

Download This Paper

Open PDF in Browser

Add Paper to My Library

Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR

Journal of Internet Law (Wolters Kluwer), August 2018

21 Pages Posted: 22 Jun 2018 Last revised: 5 Oct 2018

See all articles by Mike Hintze

Mike Hintze

Hintze Law PLLC; University of Washington School of Law; Future of Privacy Forum

Date Written: June 7, 2018

Abstract

Modern enterprises increasingly purchase and deploy products and services from third parties that collect data as part of providing the services. In this context, there is a common belief that the enterprise must be the “data controller” (in the terminology used in European data protection law), and the third-party provider must be a “data processor” acting on behalf of the enterprise. However, such a blanket rule is neither required by the law nor reflective of reality. There are many instances in which a third-party provider acts in whole, or in part, as a data controller. While the characterization of the third-party provider as a controller or a processor has certain legal ramifications, the difference may be less significant under the General Data Protection Regulation (GDPR) than under prior European data protection law. Legal compliance, risk mitigation, and appropriate protection of personal data can be achieved whether using products and services provided by data controllers or data processors; and there are pros and cons to each approach.

This paper describes the data protection obligations on organizations that purchase and deploy products and services that collect and transmit data to a third-party provider. For each obligation, it will discuss the similarities and differences (if any) in those obligations between those cases where the data is collected by a data processor and those where the data is collected by a data controller. This paper focuses on those obligations imposed by the European GDPR; but because many of the principles and obligations occur in other privacy laws around the world, many of the conclusions can be generalized for global approaches to compliance.

Keywords: Privacy, Data Protection, GDPR, Processor, Controller, Compliance

Suggested Citation: Suggested Citation

Hintze, Michael, Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR (June 7, 2018). Journal of Internet Law (Wolters Kluwer), August 2018, Available at SSRN: https://ssrn.com/abstract=3192721 or http://dx.doi.org/10.2139/ssrn.3192721