Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR

Journal of Internet Law (Wolters Kluwer), August 2018

21 Pages Posted: 22 Jun 2018 Last revised: 5 Oct 2018

See all articles by Mike Hintze

Mike Hintze

Hintze Law PLLC; University of Washington School of Law

Date Written: June 7, 2018

Abstract

Modern enterprises increasingly purchase and deploy products and services from third parties that collect data as part of providing the services. In this context, there is a common belief that the enterprise must be the “data controller” (in the terminology used in European data protection law), and the third-party provider must be a “data processor” acting on behalf of the enterprise. However, such a blanket rule is neither required by the law nor reflective of reality. There are many instances in which a third-party provider acts in whole, or in part, as a data controller. While the characterization of the third-party provider as a controller or a processor has certain legal ramifications, the difference may be less significant under the General Data Protection Regulation (GDPR) than under prior European data protection law. Legal compliance, risk mitigation, and appropriate protection of personal data can be achieved whether using products and services provided by data controllers or data processors; and there are pros and cons to each approach.

This paper describes the data protection obligations on organizations that purchase and deploy products and services that collect and transmit data to a third-party provider. For each obligation, it will discuss the similarities and differences (if any) in those obligations between those cases where the data is collected by a data processor and those where the data is collected by a data controller. This paper focuses on those obligations imposed by the European GDPR; but because many of the principles and obligations occur in other privacy laws around the world, many of the conclusions can be generalized for global approaches to compliance.

Keywords: Privacy, Data Protection, GDPR, Processor, Controller, Compliance

Suggested Citation

Hintze, Michael, Data Controllers, Data Processors, and the Growing Use of Connected Products in the Enterprise: Managing Risks, Understanding Benefits, and Complying with the GDPR (June 7, 2018). Journal of Internet Law (Wolters Kluwer), August 2018. Available at SSRN: https://ssrn.com/abstract=3192721 or http://dx.doi.org/10.2139/ssrn.3192721

Michael Hintze (Contact Author)

Hintze Law PLLC ( email )

505 Broadway E #151
Seattle, WA 98102
United States

University of Washington School of Law ( email )

William H. Gates Hall
Box 353020
Seattle, WA 98105-3020
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
228
rank
131,003
Abstract Views
745
PlumX Metrics