GDPR: Data Controllers, Data Processors and Data Processing Agreements

  • Rédigé par
  • .

Before it is possible to understand your obligations under GDPR, it is important to understand whether you are a data controller or a data processor.  


This is because controllers have much more to do when it comes to GDPR compliance.  Under GPDR processors will have their own direct obligations, but these are far fewer than for controllers.  Currently, controllers need to contractually obligate processors to treat data in a certain way, but GDPR now explicitly states exactly what that contract should contain.

What is a data controller and what is a data processor?

So how do you know if you’re a controller or a processor? 

It all comes down to decision making. You will be a controller if you determine:

  • Why data should be processed
  • How it should be processed to achieve the intended purpose, or both. 

Processors, on the other hand, never decide why to process data, they leave this to the controller who has instructed them.  Processors can make limited decisions about how to go about processing data for the purposes determined by the controller, but these can only be ‘non-essential’ decisions. 

This means that essential decisions should always be left to the controller, including decisions about what data to process to achieve the controller purpose or the economic model of the purpose pursued.

The main thing to bear in mind is that the roles are allocated on the basis of fact. 

It is not possible to enter a contract which says, for example, “X will be controller, Y will be processor” and be sure that this will be the case.  If, factually, Y has been making decisions about what data to process for X’s purposes, Y will end up in the role of joint controller alongside X.  If Y decides to process data for their own purposes, they will be a sole controller for that new purpose.

Who is who in affiliate marketing?

In affiliate marketing, the advertiser is always a controller because only the advertiser can decide ‘why’ to process data; only the advertiser can decide, for example “Let’s do some marketing online and pay commissions on a CPA basis”. 

But what about networks and publishers?  Are they processors or joint controllers with the advertiser?

Awin’s position is that Awin is a joint controller with the advertiser, along with publishers. There is, in fact, a tri-partite joint controller relationship.  This is because Awin has decided the economic model, and both Awin and publishers decide what data to process to deliver the advertiser’s affiliate marketing campaign.  

This is because of the way transactions are tracked, queried and reported.

How did we come to this conclusion?

We think this conclusion is the only one that accurately reflects how things work in practice. 

If, let’s say, Awin or publishers were to try to work within the constraints of a data processor role, they would need to get any new data processing approved by each respective advertiser in advance every time. They cannot make these decisions themselves.

From a publisher’s point of view, there is also the question of when they would start processing on behalf of the controller advertiser.  Publishers are already controllers of data processed to acquire their own website users; only they have decided the separate purpose “Let’s get some traffic so they can see the ads we publish”.  

If Publishers were to be processors for advertisers, at what point in the consumer’s journey onto, around and then away from the publisher website does the role flip?  This would vary per ad, much less per publisher, or per publisher model.

What does this mean for publishers?

The benefit of this is that Awin does not require publishers to enter data processing agreements

However, we are adding new terms to our standard publisher agreement so that we are clear on which joint controller is responsible for what.  These terms cover, for example, how Awin and publishers will handle enquiries from consumers about data, or how they will deal with a data breach should this happen. 

By making these responsibilities clear, it helps to prevent publishers and Awin being liable for each other’s breaches of GDPR.

It also means that, as a controller, publishers will need to comply with more of the obligations of GDPR.  However, publishers already need to do this when processing data for their own purposes.  The consequence is that they will now also need to apply these obligations to the data processed to refer a consumer to an advertiser.

The main benefit is that on the Awin network, as long as it is done in accordance with GDPR and relevant agreements or terms, publishers are able to decide for themselves how to process data when driving traffic to advertisers.