Bulgarian Data Protection Authority’s guidance on whether banks and other regulated entities act as ‘controllers’ or ‘processors’
In September 2018 the Bulgarian Personal Data Protection Commission (“PDPC”) produced a number of formal opinions, in which the authority examined the concepts of ‘controller’ and ‘processor’ in the context of the activity of banks and providers of postal and courier services. The PDPC has taken the position, without outlining it as an absolute rule, that in principle companies that act under licenses or governmental permits and are subject to strict regulations, are controllers in their relationships with clients. This is because a client cannot instruct the service provider how exactly to process his data, since both parties are bound to comply with the laws and regulations, including data processing provisions, applicable to banking, insurance, postal or other regulated services. The PDPC’s guidance is of a general nature and leaves open the possibility that there are situations a regulated entity would, however, act as processor and not a controller.
It is well known among data protection practitioners that the question whether an entity is a controller or processor could be a quite difficult one. As the Article 29 Working Party (“A29WP”) (now the European Data Protection Board) has elaborated in its Opinion 1/2010, this answer significantly depends on the answer of another preliminary question: which one (or both) of the contracting companies determine the purposes (the “why”) and the substantial aspects of the means (the “how”) of the concrete processing operations. Such substantial aspects of the means of processing are related to issues ‘like “which data shall be processed”, “which third parties shall have access to this data”, “when data shall be deleted”, etc.’ The company which determine the “why” and the “how” acts as controller. A29WP has also suggested three additional indications to help determining the controller/ processor role (the level of detailed instructions given by the client; the level of service performance monitoring; data subjects’ expectations); however, none of which being conclusive by its own. The analysis needed to be undertaken to answer the question is a factual one and a change of circumstances could lead to different outcomes.
The PDPC has concluded that in a typical scenario the purpose and the substantial aspects of the means of data processing in a regulated businesses relationship with clients are both determined not by the client, but by the service provider (e.g. financial services institution, postal operator) on the basis of requirements set out in applicable laws and regulations. In its 2014 Guidance on Data Controllers and Data Processors (which has not lost its actuality under the GDPR) the UC ICO - the data protection authority for the United Kingdom, shared the same view as the PDPC with respect to the role of postal and courier services, saying that ‘the [mail] delivery service will be a data controller in its own right in respect of any data it holds to arrange delivery or tracking for example, such as individual senders’ and recipients’ names and addresses’.
On the other hand, the French authority CNIL tends to give another interpretation to a similar situation, saying in its GDPR Guide for Processors (September 2017) that in general the sub-contracting of mail delivery qualifies as processor’s activity. CNIL gives an example with a marketing letter delivery company: ‘Company A provides a marketing letter delivery service using the client data files of companies B and C. Company A is a processor of companies B and C insofar as it processes the necessary client data for sending the letters on behalf of and on instructions from companies B and C. Companies B and C are their client management controllers, including as regards the delivery of marketing letters.’ Analogously, the A29WP has also qualified a mail marketing company as a processor, because it is clearly bound to act as its client, Company ABC, instructs (the latter determines what marketing material to be send out and to whom) (Opinion 1/2010, Example 2). The WP29 further explains its arguments saying that only one entity, the Company ABC, is entitled to use the data which are processed and the mail marketing company has to rely on the legal basis of Company ABC, if their legal ability to process the data is questioned.
The proper establishment in what capacity companies act is quite important as controllers and processors have different responsibilities and liabilities. However, since guidelines from data protection authorities cannot be universal to cover all situations and also, even authorities could take sometimes different views on identical cases, it looks rather challenging for companies, especially in more complicated situations, to self-determine whether they are (joint or independent) controllers or processors.