GDPR controller and processor

[2JP]

After a recent message from the business secretary, it would appear companies simply selling to the EU and gathering data for core business purposes only (e.g. delivery address for goods) may need to revisit GDPR compliance as per guidance on the IPO website should the EU determine that the UK is not safe for handling the data of their subjects.

Having observed some interpretations of GDPR legislation, I am confused as to the designation of controller and processor.

1) A potential customer (acting as an individual or as an employee of a company) emails a retailer enquiring about a product for sale. The individual uses their personal name to sign off the email, thus identifying themselves with this personal information. The retailer makes no record of the enquiry but can reference it, having access to their own email. The potential customer requests a reply. Does the retailer become a controller of personal data the moment they begin a reply email to the potential customer addressing the customer by their name because the retailer has determined to use this personal information in an email to the customer?

2) Is the retailer already a controller by simply receiving the email into their (email) data system because it has become part of their stored digital data and, through the use of an electronic search facility, be interpreted as storage in a database?

3) Under ICO recommendations, should the retailer specify an SCC to be signed by the potential customer before any further communication in order ‘to keep data flowing’?

4) As the personal information has already been submitted by the potential customer, and in digital storage accessible by the retailer, how can the retailer protect itself if the customer does not sign a contract?

5) A retailer is selling goods to individuals (i.e. B2C). A customer has submitted their own personal name and address data having already been told the purposes and means to which that personal data is to be used i.e. that the retailer will pass it to a (specified) delivery service provider in order for the contract between customer and retailer be satisfied (unless terms are, for example, ex-works).

I understand that a retailer would be a controller if it decides to process this data in some manner not already disclosed to the customer before the customer submitted their personal information.

However, once a purpose and means specification has been declared for how a certain piece of information will be used, while that information has not yet been obtained, surely the customer is the controller of that piece of personal data and determines its use fit for the purposes and means specified. The customer, the controller, has full control of the data it wishes to submit and the obligation for the retailer, the processor, is to then use it for the purposes and means already agreed.

Is this the correct interpretation?

 

[Mike Kilby PC.dp]

I think you are massively over complicating it.

A Controller is the party that determines the necessity and means of collecting and processing data.

A Processor is a party that processes data in some manner, under the direct instruction of a controller.

A data subject (customer) is NEVER a a processor or controller, they are the person who's information is received, collected or otherwise processed by a data controller, or a data processor acting on their behalf.


The retailer will be a controller, because they operate an email system to receive emails from a customer, and those emails are personal data.

A data subject (customer) does not have to sign anything. It is the controller who must have a contract with their provider (e.g. Microsoft for Office 365, Google for Gsuite/gmail).


To be blunt, if you do not properly understand these basic principles, you really need to engage professional support from someone like me who can advise and support your business.

 

[2JP]

Thanks, Mike.

A Controller is the party that determines the necessity and means of collecting and processing data.

Not as defined by EU regulations: "‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data"
It is ambiguous whether this refers to determining the purposes of the personal data, or the purposes of processing the personal data. Also, it is not the party determining the 'necessity' but determining 'purposes'. And it is not defined as collecting and processing, but as purposes and processing.

A Processor is a party that processes data in some manner, under the direct instruction of a controller.

A data subject (customer) is NEVER a a processor or controller, they are the person who's information is received, collected or otherwise processed by a data controller, or a data processor acting on their behalf.

Thank you for clarifying B2C. For B2B, what if the enquirer is an employee of a business, acting on behalf of the business and not for themselves, and gives their name? What if they mention the name of another person in their organisation in their email or give out personal addresses of employees of the company, and stipulate the purpose for supplying said data (e.g. a personal delivery address in a COVID situation when there is no one to receive packages at the work address)? What if they include another person's email address (in their company) cc'd as an email recipient (this surely represents someone else's personal data and the sender has determined that personal data to be emailed to the retailer; a form of processing)?

The retailer will be a controller, because they operate an email system to receive emails from a customer, and those emails are personal data.

Not all retailers operate an email system; that is provided by the email service provider. The retailer has an email address and will have access to emails sent to that address. Emails are not necessarily personal data but they may contain such. Not even an email address is necessarily personal data because it may belong to a group. Has not a means of processing personal data been decided by a customer sending an email containing personal data? It has been written with the purpose that the retailer have it digitally accessible as an email (is this not a form of processing?). If the enquirer has mentioned personal data of another individual in their email then have they not become a controller?

A data subject (customer) does not have to sign anything. It is the controller who must have a contract with their provider (e.g. Microsoft for Office 365, Google for Gsuite/gmail).

Even when they have possibly become a controller by transferring personal data relating to someone else (the name of a colleague, for example) through an email?

To be blunt, if you do not properly understand these basic principles, you really need to engage professional support from someone like me who can advise and support your business.

Thank you for your interpretation. To be equally blunt, what qualifies you to be so definite? Have these interpretations been tested in court?

 

[Mike Kilby PC.dp]

After 25 years working in Data Security and Data Protection, advising businesses and government agencies, I think I am qualified. What confirms that is my holding the Practitioner Certificate in Data Protection, issued by the people that advise the ICO and helped write the GDPR.
Not one of these naby pamby multiple choice tests that a trained monkey could pass. Not GPDR, but all privacy law, including DPA2018 (and DPA1998 before it), PECR, Computer Misuse Act, GDPR, even now considering the CCPA and the fact that sending any data outside Europe is no longer protected by the Privacy Sheild Agreement.


There is no ambiguity at all. Controller is the party whom determines the means and necessity of processing. It's simple. Whether someone is B2B or B2C does not come into it.
Processor is a party acting on behalf of a controller.
Anyone else, such as customers or potential customer requesting information or a service, are the data subject, not a processor, not a controller.

Whether a business operates its own email or not, if they engage a service provider, ISP or otherwise, if they have an email address, or a telephone number, or a postal address that "customers" can reach them on, they are a Data Controller for any personal data they collect via any or all of those means.

And yes, these points have been tested in County Court, High Court, Supreme Court, EU Court, by the ICO, by the European Data Protection Board. An Email can and does constitute personal data, it is subject to disclosure in a SAR and subject to the same protections.

Employee data is covered by the same principles of confidentiality as any other data and those people have rights. Covid is a bit different if there is a legitimate reason for disclosure.

To be fair, there are far too many points on here to discuss in a forum thread. Your questions are really fundamental basics that our clients pay us £595+vat per month to have access to.
I don't mind answering a singular point, but here your arguments are on multiple facets of the law.

 

[2JP]

Thank you, Mike, I meant no insult you understand. It sounds like an excellent service but I am not sure how the government expects many small and micro businesses to pay £595 per month for fundamental basics. I will have a good look at your website. All the best.

 

[Mike Kilby PC.dp]

@2JP, neither I meant any disrespect. I do find it highly frustrating that despire the wealth of information on the ICO website, and forums like this, there are still far too many businesses confused by the terms and obligations, when it really cannot be any simpler. Those who wrote the GDPR took great care to make it so, even down to the "recitals" that sit behind and describe the intention of the law.

We do have cheaper services for small or micro businesses but please understand that cost has a direct relationship with complexity. Our cheapest package is £295+vat. Yes that's £3.5k for professional support, or we do have Pay as you Go style services at £165+vat per hour, so there are options.

 

[2JP]

As usual with regulation requirements, there are simply not enough real world examples on the ICO website. Phrases like, 'the more boxes you tick, the more likely you are to fall into the category' are fairly unhelpful. I want dichotomous keys. That would be simpler.

Where does it say the customer is never the controller?

A definition of a controller being 'the main decision-maker – they exercise overall control over the purposes and means of the processing of personal data'.

In a sales contract, it is clear and very obvious to me that it is the customer that commences a personal data transfer (e.g. their name) by making a voluntary decision to contact a retailer through an order or quotation request; the retailer does not control them doing so other than to, perhaps, state that if such and such data is not provided then there can be no contract (e.g. a delivery address). The customer then makes the decision to provide that data. The customer has also defined the purpose by the act of contacting the retailer - to buy goods, for example. If all the retailer does is pass the name and address to a delivery courier, has not the decision for this already been made by the customer at the point when the retailer requested their delivery address to give to a courier? The customer has full control over what data is provided, for the purpose stated. If the retailer states what they will do with the data before it is collected and uses it in no other way then it is the customer that has been the decision maker (the controller) throughout the whole process. Why is the retailer not just a processor?

Don't answer, because you will simply repeat yourself, failing to accept the possibility of such interpretation, having been indoctrinated by another. But please do accept that it may not be so bloody obvious to some people.

 

[Mike Kilby PC.dp]

You are right, I cannot answer without repeating myself, but the law is the law, and it has been thew way it is for well over 20 years, since the 1984 Data Protection Act.

By all means, don't take my word for it. Go an pay a solicitor for independent advice, phone the ICO's free helpline, or even call your local Chamber of Commerce who I am sure will be happy to tell you the same as what I have.

You could always try looking at https://www.itgovernance.co.uk/data-protection
or sign up for the free course at https://www.knowledgetrain.co.uk/da...training-courses/gdpr-online-training-courses

I am by no means recommending these sites, or advocating that what they say is entirely correct. I am in no way connected to them you can therefore verify for yourself whether your opinion is right or wrong in law.

If after all that, you still feel that as a customer of UKBusinessForums, using a service that you chose to use, and by your definition are a Data Controller, then please send me all the personal data you hold about me, pursuant to my Article 15 Right of Access.

 

[2JP]

Mike, I have never doubted that what you have written is how the legislation is interpreted by general consensus and I very much thank you for your input. My problem is that it has been so vaguely defined. You have not told me why my alternative interpretation of the definition of the legislation is incorrect, only that it is incorrect.

 

[Mike Kilby PC.dp]

2JP, I do not believe the GDPR is vague at all, in fact it is one of the clearest legeslative instruments ever written around data privacy.

Try thinking about it this way.

The party giving the information will be the Data Subject, the identifiable individual about whom the data relates, and that the GDPR aims to protect. B2B or B2C, they are a person.

The party receiving the information will in the majority of cases always be the Data Controller. They determine the ways they can receive the information given and are in direct control of protecting that data going forward for as long as it is needed, hence the name Controller.

Once a Data Subject (customer) has given the Controller (retailer) the information, they can no longer be physically in control of their own data, hence the GDPR expects the Controller (retailer) to be transparent about what it does and provide mechanisms by which the Data Subject can exercise control.


In the event a controller must share data with another party to fulfil a contract to the customer (data subject), that third party is a Processor of the Data Subjects data. The Processor neither asked for the information directly from the data subject, nor determiend what information collected from them. They are merely engaged to "process" the information they are given to provide the service they are asked to provide by the controller.

 

[2JP]

I appreciate your efforts and admire your tenacity at remaining civil to someone playing devil's advocate like me. I think I understand your interpretation and it seems very sensible to me. My only remaining aim is to attempt to make you see the tiniest chink of possible incongruity. That is the place I started from.

Your interpretation makes the assumption that an entity can control and decide what information is given to them. Quite simply, this is intuitively and factually not true.

We have had credit card details emailed to us without any control on our part. We have had personal tax identity information emailed to us without any control on our part. Our data policy does not include these things on the data we collect AND YET once in our possession, as you rightly say, the Data Subject (customer) 'can no longer be physically in control of their own data.' We had no control. We made no decision. We have now been forced to process that data in some way (even if deleted we have 'processed' it and we feel obliged to ensure that it is also purged from any email backups). Why are we the controller? Must we now become PCI DSS compliant? Must we update our privacy policy to include the handling of tax identity information? Can you really not see the possibility of a data subject being the controller by your definitions?

 

[Mike Kilby PC.dp]

2JP, I also appreciate your tenacity at this point of view, but it simply cannot be.

I agree, any business can be sent any data by email, indeed I frequently advise businesses on their online forms, surveys and social media, not to allow "free text" fields and to narrow down what information can be submitted. They should also "recommend" that people do not voluntarily supply information that has not been explicitely requested.

As a user of this site, I could post my phone number here. I could in theory post the phone number of others here, but that would be against SIFT's terms of use. Nobody could hold them responsible for that data because they don't want it, have no use for it and actively discourage it.

Honestly, I think the law is written such that if someone is stupid enough to give information that hasn't been asked for and is not explicitely needed, they are doing so at their own risk.

The very definitions as written in the GDPR say the Data Subject cannot be the Data Controller. They are explicitely different definitions on the same page of that law.

 

[2JP]

Honestly, I think the law is written such that if someone is stupid enough to give information that hasn't been asked for and is not explicitely needed, they are doing so at their own risk.

For example, someone's name signing off an enquiring electronic message? Only the email address is needed at that stage for a reply. In my experience, most people 'stupidly' voluntarily give at least their first name at the end of an email, and often more. It was not asked for. All that is often needed is a way to reply e.g. email address. Technically, are we not obliged to care for that piece of personal data (name) at that stage?

e.g. Enquiry from j@thing: 'Hello. I want to buy 5 Christmas puddings. Do you have stock? John Smith.'
Reply to j@thing: 'Thank you for your enquiry. We currently have 10 in stock but order quickly as they are going like hot cakes.'

 

[Mike Kilby PC.dp]

I would say in that scenario, the content is reasonably expected and any further processing to respond to it is necessary. The retailer would likely have a policy that says something along the lines of "we will use your name, email address and any other contact information you provide us to respond to your requests for information or to enter into an agreement to supply products or services to you".

If someone said "Hello. I want to by 5 Christmas puddings. Do you have stock? My credit card number is 1234, expiry 02/22 and CVC 987. Please ship to 1 North Pole" then I'd say they're frankly stupid.

In that scenario, the retailer is processing by way of receipt, even if they didn't ask for the information, so one of two things could happen;

1. The retailer fulfills the order and charges the card; then experiences a data breach or a whistleblower and is investigated by the ICO, who fine them for a breach of GDPR; or
2. The retailer would have to consider that as a possibile scenario and have a process to deal with it. My recommendation would be they reply (removing the unnecessary information) advising of stock and directing the customer where to go to place an order securely, and confirming they will delete the original email as it violates their data protection policy.

With any of our clients who we put in place GDPR policies for, we always start with mapping the customer journey. How can they receive data whether they ask for it or not, so we can cover those bases.

 

[2JP]

Thank you, Mike. Happy Christmas.