Controller or Joint Controller?

[JDHamilton]

Hi,
Just a quick question around who controls the data, I'm aware that the regulation states The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. But Im unsure in this instance who is determining the purpose.


We sell a product/service to a business, they then install product into a customers property. This collects and sends some PII data back to a database hosted by a third party for the business to analyse etc.

Are we the Data Controller - Because we design and sell the product and therefore determine the purpose in which the data is processed?

Or are we Joint Controllers ?

Any guidance would be much appreciated!

thanks

James

 

[Mike Kilby PC.dp]

Hello James,

Let me see if I have this right before I offer my opinion.

You make a product which is designed to collect some data, which you sell to other businesses who then install these with customers.

The devices send their data back to a system that you provide, albeit hosted by a third party like Amazon Web Services, but which it is the businesses who buy and resell/install your device who benefit from and use that information? You yourself do not use that information?

 

[JDHamilton]

Yes, the business who buy the product will benefit from and use the information!
However because we make the product we do have overall access to all the data in the hosted environment (For troubleshooting etc) and may from time to time pull statistics from the portal. These statistics are likely to be anonymised and would be more related to operational running of said product.

 

[Mike Kilby PC.dp]

This is an interesting scenario. Ideally I'd like to have a more detailed conversation with you as this would make a great article, but provisionally I think it may be simpler that you may think.

Although it may be you that determines what information the devices collect and what the database stores, I would personally say it's more about who holds the relationship with the Data Subjects.

If the installer owns the relationship and the Data Subject would always go to the installer rather than come to you directly with any issues, support queries or Subject Request, there is a strong argument that you are merely a Data Processor and the installers are the Data Controllers. You would obviously still have obligations to those controllers for privacy, controls, retention and breach notifications etc, but in essence you simply provide a service that the installers choose to use.

A Joint Controller relationship may exist however if the Data Subject could interact directly with your business, e.g. for support or to make Data Subject Requests, or if you determine things like retention periods that the installers cannot override.

I think it is reasonable that most cloud service providers will use the information their customers put in their systems for operational statistics and as long as they don't use the personal information that thier customers put in the system, they are considered controllers of that data.

 

[fisicx]

I think it's very simple.

The purchaser of the product/service is the data controller. They are the ones collecting and using the data. One of their responsibilities is to ensure the data is secure so they will need to see your documentation relating to this. They would be responsible for ensuring your security and privacy procedures meets the standard in their privacy/data protection policies.

Should you need to access the data you would do so as a data processor under authority from the data controller.