Guide to Data Protection Act for Data Controllers

What is a data processor?

Do service providers always act as data processors?

Generally, a service provider handles personal data on behalf of and in accordance with instructions given by its client. Nevertheless, a service provider will not be a data processor in all circumstances.

For one, even where a service provider is a true data processor, the service provider may still be a data controller for certain purposes of its own processing activities.  

Example

A service provider who uses the client's personal data to perform its own anti-money laundering checks to comply with legal requirements will be acting as a data controller for this purpose. The service provider determines the conditions, manner, and purposes of the processing, obligated by the Act. 

Apart from situations where a data processor is a data controller only for certain purposes, as in the example above, there are situations where a service provider will be a data controller throughout, typically because it enjoys a high degree of independence regarding the processing activity and it cannot be said that the client truly determines the conditions, manner, and purposes of the processing.

As a rule of thumb, a service provider will likely be a data processor where the actual service it provides is focused on the processing of the personal data on behalf of the data controller. In contrast, where the service provider offers a service where the processing of personal data disclosed by the data controller is incidental for the service, without being the core of the service provided, it will likely be a data controller. 

This rule of thumb will not always be appropriate, so that other factors may need to be considered when assessing whether a service provider is acting as a data processor or a data controller.

Examples

  1. A catering company is given the names and dietary preferences of guests by the corporate hosts of a commercial dinner party.[1] The core service provided by the catering company is the dinner. The catering company processes the personal data of the guests only incidentally to provide the dinner. The catering company is a data controller and not a data processor.
  2. A retailer provides the shopping history and details of its female customers to a data analytics company in order to learn which of its customers are pregnant. The core service provided by the data analytics company is the analysis of the personal data. The data analytics company is a data processor.
  3. Many of the investment funds domiciled in the Cayman Islands do not have a physical presence in the islands and rely on a broad range of service providers to support their business operation.
    • Some service providers (for example providers of registered office services, corporate secretarial services, and fund administration services) engaged by the investment funds are, on balance, likely to handle personal data solely for the purposes of providing services to the investment funds, in accordance with a mandate agreed with and provided by the investment funds. Such service providers are likely to act as a data processor.
    • Some service providers (for example providers of anti-money laundering compliance services, legal advisors, banks, insurers, etc.) may be exercising a considerable degree of discretion and autonomy in handling personal data in providing their services. Such service providers are likely to act as (joint) data controllers in their own right, even if they are providing a service.
    • External directors, when acting in their role as company organ, will fall into none of the above categories. As a company organ, they are deemed to be one and the same as the data controller they direct.

[1] Data minimization and other data protection principles must be complied with.

Thus, whether a data controller which engages a service provider should treat the service provider as a data processor will depend very much on the context, and, in particular, the nature of the service provided and the extent to which the service provider exercises autonomy and discretion in deciding what personal data should be handled why and how to provide the services.

Generally, a service provider which performs an outsourced administrative or support function (e.g. back office support, IT support, payroll processing, etc.) is more likely to act as a data processor, while a service provider which provides regulated professional services (e.g. banking, insurance, legal, actuary, accountancy, etc.) is more likely to act as a data controller.

However, such distinction is not definitive and each engagement should be considered on a case by case basis by paying attention to what the service provider is doing with the personal data. There may well be circumstances where a service provider which one might characterize as a processor is in reality acting as a controller (or conversely, a service provider which one might characterize as a data controller is in reality acting as a data processor).

  • If a data controller engages a service provider who acts as a data processor, it will need to make sure that the engagement is based on a written contract which conforms to the requirements of the DPA (see Contracts between data controllers and data processors).
  • To the extent a service provider which primarily acts as a data processor has a limited need to act as a data controller in its own right, it is best practice to state this in the contract. Additionally, where such service providers are based outside the Cayman Islands, it may also be necessary to put in place additional contractual safeguards to address the cross-border transfer of personal data (see Eighth data protection principle - International transfers).
  • If a data controller engages a service provider who acts as a data controller, the DPA does not require any specific terms to be agreed with the other data controller. However, if you share personal data with other data controllers, you have a duty to make reasonable efforts to ensure that the receiving data controller will be compliant. The extent of efforts required will depend on the processing activity intended and the type of personal data being disclosed. A data controller might still wish to obtain an assurance that such service providers will comply with the DPA, to the extent applicable. Furthermore, where such service providers are based outside the Cayman Islands, it may be necessary to put in place additional contractual safeguards to address the cross-border transfer of personal data (see Eighth data protection principle - International transfers). 

Relevant provisions

Data Protection Act (2021 Revision)

Section 2: Definitions                                                  

Section 6: Application of the DPA, duty to nominate a representative                                                  

Schedule 2, part 2, para 3: Processing contract to ensure reliability                           

Schedule 4, paras 1 and 2: Consent to transfer and contractual provisions                       

Schedule 4, paras 8-9: Transfers made on terms approved, or authorised by Ombudsman 

Further guidance

Article 29 Working Party: Opinion 1/2010 on the concepts of “controller” and “processor”

Previous Next