Is a merchant’s bank a processor or controller under the GDPR?
A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.2 Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”3 Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.
Almost every company within Europe and the United States has a relationship with a merchant bank – i.e., a financial institution that holds funds on behalf of the company and remits payments as directed. Although many companies assume that banks function as their processors, the EDPB has taken the position that the essential means of processing include deciding “the duration of the processing” and “the type of personal data” that will be processed.4 As banks do not permit their clients (i.e., companies) to dictate how long transaction-related information will be held, and do not permit their clients to dictate what information is needed in order to process a transaction (e.g., send payment to a third party), the EDPB considers banks to be controllers for the purpose of the GDPR.5 The following summarizes the assumptions upon which the EDPB has determined that a merchant bank typically acts as a controller:6
Controller Functions |
Present |
Purpose of processing |
|
Why. The entity determines why the processing is taking place. |
X A business client presumably determines why information will be processed (e.g., to make payments to third parties). |
Essential means |
|
Data types. The entity determines which data will be processed. |
✓ The EDPB believes that a merchant bank determines what data is necessary in order to accomplish a particular transaction. |
Duration. The entity determines how long data is processed / stored. |
✓ The EDPB assumes that banks set their own retention periods based upon rules and regulations imposed upon the banking industry. |
Recipients. The entity determines who shall have access to the data outside of the organization. |
X / ✓ The EDPB did not take a position as to whether banks determine which third parties will receive personal data. As banks do not typically disclose their subprocessors to their clients, presumably banks make independent decisions regarding the third parties to whom information will be shared. |
Data subjects. The entity determines whose personal data is processed. |
X Although the EDPB did not take a position on this factor, presumably a business client determines whose personal information will be processed. |
Is an accountant a processor or controller under the GDPR?
A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.[1] That does not necessarily mean, however, that a controller needs to make every decision about how processing will occur. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means” of processing.[2] Essential means refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered by the EDPB to be “traditionally and inherently reserved to the controller.”[3] Non-essential means refers to processing decisions that are more practical, day-to-day, implementation decisions and can be left to the discretion of a processor. These include such things as the type of computers or software that an organization decides to use.
The EDPB has suggested that accountants may act as controllers or processors in different situations. The following describes those situations in which an accountant might take on controller-related functions and, therefore would be considered a controller:
1 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.
2 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
3 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
4 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
5 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
6 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 42.
7 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.
8 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.
9 EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.