Privacy Protection Authority
individual requests can be outsourced to the processor, the controller bears the
responsibility for complying with such requests. Therefore, the assessment as to
whether requests by data subjects are admissible and/or the requirements
set by the GDPR are met should be performed by the controller, either on a case-by-
case basis or through clear instructions provided to the processor in the contract
before the start of the processing. Also, the deadlines set out by Chapter III cannot be
extended by the controller based on the fact that the necessary information must be
provided by the processor.”
3
It also states the following in an example, to which Nordax refers to concerning
the relationship between Nordax and Iper:
“Example: Market research 1 Company ABC wishes to understand which types of
consumers are most likely to be interested in its products and contracts a service
provider, XYZ, to obtain the relevant information. Company ABC instructs XYZ on what
type of information it is interested in and provides a list of questions
to be asked to those participating in the market research. Company ABC receives only
statistical information (e.g., identifying consumer trends per region) from XYZ and does
not have access to the personal data itself. Nevertheless, Company ABC decided that
the processing should take place, the processing is carried out for its purpose and its
activity and it has provided XYZ with detailed instructions on what information to
collect. Company ABC is therefore still to be considered a controller with respect of the
processing of personal data that takes place in order to deliver the information it has
requested. XYZ may only process the data for the purpose given by Company ABC
and according to its detailed instructions and is therefore to be regarded as
processor.”
4
In the literature, Öman points out the following.
“The legal person which engages any other legal person to process personal data, e.g.
for storing and disseminating or for collecting and processing the personal data, is
normally considered to be the data controller and the hired as a personal data
processor. This applies even if it is the hired company and not the company who hires
who has the knowledge of how to best process the personal data, such as how to
store, collect, disseminate and process them, and the resources to do it. In fact, the
company who hires has decided the means of processing of the personal data by
employing a company that can use certain methods. This may involve outsourcing IT
operations or to hire a company to collect personal data within the framework of a
market research."
Rights of the data subject
According to Article 12(3) of the GDPR, the controller shall provide information on
action taken on a request under Articles 15 to 22 to the data subject without undue
delay and in any event within one month of receipt of the request. That period may be
extended by two further months where necessary, taking into account the complexity
and number of the requests. The controller shall inform the data subject of any such
extension within one month of receipt of the request, together with the reasons for the
delay.
Pursuant to Article 12(6), where the controller has reasonable doubts concerning the
identity of the natural person making the request referred to in Articles 15 to 21, the
controller may request the provision of additional information necessary to confirm the
identity of the data subject.
3
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, paragraph 132.
4
EDPB 07/2020 on the concepts of controller and processor in the GDPR, 2,0, page 19.