Data controllers, data processors and data processing agreements
Written by Stephanie Salomon on 4 minute read
To understand your obligations under the GDPR, it is important to first understand whether you are a data controller or a data processor.
Under the GPDR, processors will have their own direct obligations, but these are far fewer than for controllers. Currently, controllers need to contractually obligate processors to treat data in a certain way, but the GDPR now explicitly states exactly what that contract should contain.
What is a data controller and what is a data processor?
How do you know if you’re a controller or a processor?
It all comes down to decision making. You will be a controller if you determine one or both of the following:
- Why data should be processed
- How it should be processed to achieve the intended purpose
Processors, on the other hand, never decide why to process data. They leave this to the controller who has instructed them. Processors can make limited decisions about how to go about processing data for the purposes determined by the controller, but these can only be ‘non-essential’ decisions.
This means essential decisions should always be left to the controller, including decisions about what data to process to achieve the controller purpose or the economic model of the purpose pursued.
The main thing to remember is roles are allocated on the basis of fact.
It is not possible to enter a contract that says, for example, “X will be controller, Y will be processor,” and be sure that this will be the case. If, factually, Y has been making decisions about what data to process for X’s purposes, Y will end up in the role of joint controller alongside X. If Y decides to process data for their own purposes, they will be a sole controller for that new purpose.
Who's who in affiliate marketing?
In affiliate marketing, the advertiser is always a controller, because only the advertiser can decide ‘why’ to process data. Only the advertiser can decide, for example, “Let’s do some marketing online and pay commissions on a CPA basis."
What about networks and affiliate publishers? Are they processors or joint controllers with the advertiser?
Awin’s position is Awin is a joint controller with the advertiser, along with publishers. There is, in fact, a tripartite joint controller relationship: Awin has decided the economic model, and both Awin and publishers decide what data to process to deliver the advertiser’s affiliate marketing campaign.
This is because of the way transactions are tracked, queried and reported.
How did we come to this conclusion?
We arrived at this conclusion because it is the only one that accurately reflects how things work in practice.
Let’s say Awin or publishers were to try to work within the constraints of a data processor role, they would need to get any new data processing approved by each respective advertiser in advance, every time. They cannot make these decisions themselves.
From a publisher’s point of view, there is also the question of when they would start processing on behalf of the controller advertiser. Publishers are already controllers of data processed to acquire their own website users; only they have decided the separate purpose, “Let’s get some traffic so they can see the ads we publish."
If publishers were to be processors for advertisers, at what point in the consumer’s journey from the publisher website does the role flip? This would vary per ad, much less per publisher, or per publisher model.
What does this mean for publishers?
The benefit of this is Awin does not require publishers to enter data processing agreements.
However, we are adding new terms to our standard publisher agreement so we are clear on which joint controller is responsible for what. These terms cover how Awin and publishers will handle inquiries from consumers about data, how they will deal with a data breach should this happen, etc.
By making these responsibilities clear, it helps to prevent publishers and Awin being liable for each other’s breaches of the GDPR.
It also means that as a controller, publishers will need to comply with more of the obligations of the GDPR. However, publishers already need to do this when processing data for their own purposes. The consequence is that they will now also need to apply these obligations to the data processed to refer a consumer to an advertiser.
The main benefit is that on the Awin network, as long as it is done in accordance with the GDPR and with the relevant agreements or terms, publishers are able to decide for themselves how to process data when driving traffic to advertisers.