GDPR Controller or processor

Just checking

Didn't find your answer?

We have done our updated terms ready to send out and have a query.

For bookkeeping services that we provide for clients (i.e. they give us their invoices) we then put it into the bookkeeping and subsequently accounts. I have egarded that as a data processing role as we will be actually processing details of their customers i.e. customer names etc. 

Another practice I know has deemed that service as a data controller so now i am confused which is it?

And for the other services is our end classificaton correct? Accounts and tax prep - data controller, payroll - data processor

What about confirmation statements? Another one for that?

We have done a lot of prep work/system changes this past year getting ready for it but now this has thrown me and made me question everything.

Many thanks

Replies (10)

Please login or register to join the discussion.

Routemaster image
By tom123
25th Apr 2018 13:17

My view would be:

Working on someone's personal data that you have obtained directly = data controller. This covers personal tax etc.

Working on personal data that someone else has given you as part of a contract = data processor.

But then, I am not in practice so my perspective may differ.

Thanks (0)
avatar
By Maslins
25th Apr 2018 14:39

My (no doubt oversimplified) view on it is:
- is your service just as a dumb tool, doing exactly what someone else tells you to do? This could be a bit of software, or a human following strict instructions provided by someone else, with negligible scope for your input. If yes, then you're a data processor.
- are you a bit more in control, deciding what data you might need to ask for? If yes, then you're a data controller.

Happy to be corrected if people more in the know think the above is flawed.

Thanks (1)
avatar
By Georgie Goldfish
25th Apr 2018 19:00

The ICO does have guidance on this from P45 in the doc I have linked below.
"Where specialist service providers are processing data in accordance with their own professional obligations they will always be acting as the data controller and cannot agree to hand over or share data controller obligations with the client in
this context"

From the ICO website - https://ico.org.uk/media/for-organisations/documents/1546/data-controlle...

Thanks (0)
Replying to Georgie Goldfish:
avatar
By pjd17mini
26th Apr 2018 11:10

Is it just me that reads that as "if you're processing data.. you're a data controller.. not a data processor" and promptly hits head on desk?

Thanks (1)
Replying to pjd17mini:
avatar
By Georgie Goldfish
26th Apr 2018 14:15

Not just you no!

There is an example further along in the guidance about accountants which adds a little more clarity....para 44
"When acting for his client, the accountant is a data controller in relation to the personal data in the accounts. This is because accountants and
similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process. For example if the accountant detects malpractice whilst doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so an accountant would not be acting on the client’s instructions but in accordance with its
own professional obligations and therefore as a data controller in his own right"

My question then is, are we ever data processors? The answer given the above must be no. Might have to get that confirmed.......

Thanks (1)
Neil Armitage
By Neil Armitage
26th Apr 2018 16:19

The ICAEW have released their engagement letter GDPR clauses and guidance.

It states that it's important we consider if the firm is a data controller, a joint controller (with the client) or a data processor in relation to the provision of each service.

It also says it's possible that a firm may act as a data controller in relation to some services and as a processor in relation to others. So it sounds like a firm can be both controller and processor for the same client depending on the services that are engaged.

Joy.

Thanks (2)
avatar
By Georgie Goldfish
26th Apr 2018 18:47

Have also been reading that and their GDPR FAQs this afternoon. It seems processor vs controller status it isn't as clear as one would hope.

I note they are seeking clarification from the ICO but suggest legal advice if in doubt.

Thanks (0)
ALISK
By atleastisoundknowledgable...
26th Apr 2018 20:09

In practical terms, what do you have to do differently depending which one you are?
I must be missing something v basic, but I’ve still not got my head around that question!

Thanks (1)
avatar
By North East Accountant
04th May 2018 08:01

Wouldn't it just be nice for ICAEW etc to publish a list;

Account Prep=
Tax Return Prep=
Bookkeeping=

etc, etc

Save us all the hassle of coming up with different answers.

Thanks (0)
Replying to North East Accountant:
ALISK
By atleastisoundknowledgable...
04th May 2018 08:16

Well there’s wishful thinking. As if they have the resources to do that, we all only pay c£400(?) for a practising certificate for which we already get, errr, erm ... besides, it’s not like they charge for the engagement letter templates. Oh, wait ...

Thanks (0)