Data Processor: Some Say They Are Processors, But They’re Not
One of the most common questions in data protection is the difference between a data processor and a data controller under the General Data Protection Regulation (GDPR).
In professional practice, it is very common to encounter situations where a company claims that a third party is its data processor, when in fact what exists is a transfer or disclosure of personal data.
This distinction is important. If the relationship is truly a data processing engagement, a contract must be formalized as required under Article 28 of the GDPR. But if what exists is a data transfer, the third party becomes a data controller, with its own legal basis and obligations.
The issue arises when organizations try to “fit” a relationship under the label of access to data on behalf of a third party simply because there is access to personal data. However, not all access by a third party makes them a data processor.
Below are some common examples where many organizations assume there is a data processing engagement when, in reality, the third party is an independent controller.
Key difference between data controller and data processor
The core GDPR principle is relatively simple.
A data processor processes personal data only under the instructions of the data controller and does not independently determine the purposes or essential means of the processing.
In contrast, a data controller is the entity that determines the purposes and means of processing personal data.
When a third party has real autonomy in how it handles data, has its own legal obligations, or acts for independent purposes, the typical scenario is that there are two controllers, meaning there is a transfer or disclosure of personal data.
Banks: are they processors?
A common case occurs when a company shares client or employee data with a bank to manage payments, financing, or direct debits.
Sometimes this relationship is framed as if the bank were a processor. However, banks operate under their own sectoral regulations and are subject to multiple legal obligations.
The bank decides what controls to apply, how to manage data within its systems, and how to comply with legal obligations (for example, anti-money laundering rules). Therefore, it does not act solely on the company’s instructions but within its own operational framework.
In this context, the bank acts as an independent data controller, and the access to the data constitutes a data transfer.
Temporary Employment Agencies (ETTs)
Another common example involves Temporary Employment Agencies (ETTs).
When a company shares candidate or employee data with an ETT to fill positions, the relationship is sometimes documented as a processing engagement.
However, the ETT conducts its own business activity: managing recruitment processes, evaluating candidates, and processing data under its own legal and labor obligations.
Consequently, the ETT does not act solely on the client’s instructions but decides how to conduct the recruitment process, so it typically acts as a data controller.
Transport or courier companies
Another frequent scenario involves transport or courier companies that receive customer data to perform deliveries.
To provide the service, the carrier usually has access to data such as the recipient’s name, address, or phone number. At first glance, it may seem that the carrier is merely accessing data on behalf of the selling company.
However, the transport company organizes its own logistics, manages delivery issues, decides how to perform the delivery, and may even contact the recipient directly.
Thus, in many cases it acts as an independent data controller, and the transfer of this data constitutes a necessary data disclosure for service provision.
Vehicle leasing or rental companies
It is also common that in vehicle leasing or rental contracts, a company shares employee or driver data with the financial institution or leasing company.
Sometimes this relationship is formalized as a processing engagement, but the leasing company conducts its own financial or leasing operations.
This means it manages contracts, evaluates risks, applies compliance controls, and processes the data in its own systems.
Therefore, the leasing company generally acts as an independent data controller, not as a processor.
Occupational health and safety services
Another typical example occurs when a company provides employee data to an external service in compliance with the Occupational Risk Prevention Law.
Although the service accesses personal and even health-related data, its activities are regulated by specific laws, and it has its own professional obligations.
These services determine what information they need, how to conduct assessments or medical examinations, and how to manage data in compliance with applicable regulations.
Therefore, they normally act as data controllers, not processors.
Conclusion: not all access to data makes a processor
In data protection, it is common for relationships to be automatically documented through a data processing contract, even when this is not legally accurate.
However, incorrectly labeling a data transfer as access on behalf of a third party can create compliance issues: wrong legal bases, inaccurate privacy policies, or improperly drafted contracts.
Before signing a data processing agreement, ask yourself a simple question:
Does the third party process the data solely according to instructions, or does it also make its own decisions about the processing?
In many cases, the answer shows that some claim to be data processors… but in reality, they are not.
Author: Victor Rosello, Lawyer.
If you need help writing Data Protection regulations, contact us!
Information on data protection
Company name
LEGAL IT GLOBAL 2017, SLP
Purpose
Providing the service.
Sending the newsletter.
Legal basis
Compliance with the service provision. Consent.
Recipients
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
Rights
You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
Further information
See the Privacy Policy.
