June 24, 2021

Volume XI, Number 175

Advertisement

June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

GDPR: Is Market Research Co. or Outsourced Call Ctr. Processor or Controller

Is an outsourced call center a processor or controller under the GDPR?

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.2 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”3 Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.

The EDPB has suggested that a company that provides call center support for another business would generally be considered a processor based upon the following assumptions:4

Controller Functions

Present

Purpose of processing

Why. The entity determines why the processing is taking place.

X Assuming that a company retains a third party to provide call center support, the call center would not determine the purpose of processing.

Essential means

Data types. The entity determines which data will be processed.

X The EDPB implies that a call center that provides customer support would typically not determine the type of data that would need to be processed. This presumes that the call center is provided instructions from its client regarding what information is necessary to support various data subject requests.

Duration. The entity determines how long data is processed / stored.

X The EDPB presumably assumes that a call center that provides customer support would not determine how long information (e.g., call recordings) are kept.

Recipients. The entity determines who shall have access to the data outside of the organization.

X The EDPB presumably assumes that most call centers would not be permitted to onward transfer personal information without the express permission of their client.

Data subjects. The entity determines whose personal data is processed.

X The EDPB assumes that most call centers do not control which individuals may be seeking customer service support.


Is a market research company a processor or controller under the GDPR?

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.5 That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.6 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”7 Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.

The EDPB has suggested that market research companies would be considered processors in the following situation:8

Controller Functions

Present

Purpose of processing

Why. The entity determines why the processing is taking place.

X Assuming that a company retains a market research company to provide insights regarding a specific issue, the market research company would not determine the purpose of processing.

Essential means

Data types. The entity determines which data will be processed.

X Assuming that the company that retains a market research company provides a list of questions to be asked of consumers, the market research company would not determine the data types to be processed.

Duration. The entity determines how long data is processed / stored.

X Assuming that the market research company does not retain the data, or only retains it for as long as instructed, the market research company would not determine the duration of processing.

Recipients. The entity determines who shall have access to the data outside of the organization.

X Assuming that the market research company does not have the right to transmit survey responses to third parties, the market research company would not determine who should receive the personal data.

Data subjects. The entity determines whose personal data is processed.

X It is not clear whether a market research company that identifies survey respondents would exercise sufficient control over the selection of the categories of data subjects as to function as a controller. The EDPB implied, however, that if a market research company conducted research regarding the types of consumers that would most likely be interested in one of its clients products the selection of data subjects to participate in the market research would not convert the market research company into a controller.


1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

2 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

3 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

4 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 81.

5 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

6 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

7 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

8 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 42.

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 134
Advertisement
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement