Part 2: Conducting expert calls under GDPR - the responsibilities of the client
This blog post is written for informational purposes only. It does not constitute legal advice, and should not be used as such.
In our first blog post about expert calls and GDPR, we looked at which responsibilities expert networks have when processing personal data related to expert calls. Today we will discuss the role and the responsibilities of the client.
Expert networks generally determine the purposes and means of processing of the expert’s personal data when recruiting individuals for expert calls, and hence act as a Data Controllers (if you need a recap on the definitions under GDPR, please read our first blog post). The expert, on the other hand, is the natural person whose data is being processed, and hence takes the role of a Data Subject.
But where does this leave the client?
From a first look at the definitions, it’s easy to think that the client is just a recipient. But is it true that it’s only the expert network that processes expert data, and that the client merely receives anonymized expert profiles?
Well, reality is a bit more complex than that. As soon as the client accesses the data and starts processing it for its own purposes, it actually becomes a data controller in its own right. Processing is a wide concept under GDPR, and everything from saving a CV on a hard drive to compiling expert profiles in excel sheets counts as processing. So what makes the client a controller and not a processor? Is it fair that the client has the same level of responsibility for its handling of the expert personal data as the expert network does?
Let’s revisit the definitions. A data processor is “a natural or legal person which processes personal data on behalf of the controller”. In order for the client to act as a data processor, it would need to process the data on behalf of and as instructed by the expert network. As soon as the client makes its own decisions regarding the processing, it becomes a data controller. (Theoretically, a client could of course receive a fully anonymized expert profile or conduct a call with the expert without receiving any personal data, and in those cases the processing would not be restricted by the GDPR).
GDPR introduces the concept of joint-controllers, when two controllers jointly determine the purpose of the processing. That is not the case in this situation though: instead the parties act as separate and independent controllers and each party is responsible for its own processing of the data.
So what does this mean in practice? Well, it actually means that the client is bound to the same set of responsibilities as the expert network. Just as the expert network, the client needs to define a legal basis for its processing, as well as set up processes around data retention and storage limitation.
So now we know that the expert is a data subject, and that both the expert network and the client act as data controllers. But where does this leave Inex One? What responsibility do we have for the processing of personal data, and how can we help our clients comply with GDPR? Read more about this in part three of our GDPR blog post series.