SMP Snack: GDPR – am I a processor or a controller?

In the next SMP Snack series, SMP eGaming Regulatory Compliance Manager Phil Knox follows last week’s article on whether you need to register under GDPR with guidance to a question which is far more important than you may first realise.
Now here’s a question to get to grips with over a festive tipple or a mince pie!
One thing is certain: whether you’re an individual or acting on behalf of a business, it is essential you agree with your operator on the status of your processing activity and whether you are, in fact, a ‘processor’ or a ‘controller’. The extent to which an organisation is subject to obligations under data protection law depends on it, but it can be far from clear who’s the controller and who’s the processor.
To help you reach a conclusion here are some pointers.
Control of personal data is the determining factor here. Under the GDPR, the controller is the person (or business) who, alone or jointly, determines the purposes for which, and the way in which, personal data is processed. In most circumstances, affiliates are, in some way, responsible for personal information and determine the purposes and means for processing players’ personal data, so would therefore be a controller.
In contrast, a processor is anyone (individual, public authority, agency, or other body) who processes personal data on behalf of the controller (excluding the controller’s own employees) or another processor (sub-processor). This could include anything from appointing a data analytics provider to something as seemingly trivial as, for example, storage of data on a third party’s servers.
That may sound straightforward enough but often the arrangements are not that simple and another key factor to consider is the relationship between the operator and the affiliate. The difficulty is predominantly due to an operator only becoming a controller once the player has been passed through and signed on to the website. Until then, the operator is not involved in any processing which begs the question: who is in control of that data?
As a processor, the affiliate would carry out processing activity solely for the purposes of driving traffic to the operator’s website. As a controller, the affiliate would essentially determine the means and ways in which they can obtain customers – again, until such time as they are passed to the operator. So, there is a fine line that will depend on the exact nature of your activity. If in doubt, consult an expert – we’ve done a lot of work helping gaming companies identify their exact position under the GDPR.
As either a processor or controller, an affiliate can still be liable under GDPR, even if the role of a controller is likely to be preferable to the operator as it lessens risk in terms of potential data breaches. Equally, in assuming the role of a controller, it’s imperative to remain transparent with customers when you process their personal data and have a robust framework in place to ensure compliance with the GDPR.