November 27, 2021

Volume XI, Number 331

Advertisement
Advertisement

November 24, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Is A Payroll Administrator a Processor or Controller Under the GDPR?

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.2 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”3 Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.

Payroll administrators are companies (or individuals) that assist employers with the process of compensating employees. A payroll administrator may keep track of the number of hours employees work, employee pay rates, employee benefit elections, and employee-related tax payments and deductions. The EDPB has suggested that payroll administrators would be processors based upon the following assumptions: 4

Controller Functions

Present

Purpose of processing

Why. The entity determines why the processing is taking place.

X

A business client, and not a payroll administrator, determines the purpose of processing (i.e., paying the business-client’s employees.

Essential means

Data types. The entity determines which data will be processed.

X

Payroll administrators do not determine what personal data is collected about an employee.

Duration. The entity determines how long data is processed / stored.

X

The EDPB assumes that most business-clients instruct their payroll administrator concerning the length of time that data will be stored.

Recipients. The entity determines who shall have access to the data outside of the organization.

X

The EDPB assumes that most business-clients instruct their payroll administrator as to the tax authorities to whom personal data should be disclosed.

Data subjects. The entity determines whose personal data is processed.

X

The EDPB assumes that a business-client decides whose information will be processed (i.e., who should be hired, and who is to be paid).


1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

2 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

3 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

4 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 127
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement