On Demand Library
Created in partnership with
Data Controller vs. Data Processor Examples
5:08
Legal Disclaimer 
The information provided in this video does not, and is not intended to, constitute legal advice, instead, all information, content, and materials available on this site are for general informational purposes only. The law changes fast, so information in the video may not constitute the most up-to-date legal or other information. 
Overview of Major Global Privacy Laws
General Privacy Law Principles
What Kinds of Companies Need to Worry About Health Data?
Overview of US Privacy Laws
Who Engages in a Data Breach?
Transcript

00:07
Adam Stofsky
So let's say I I run a successful group of fast food like franchises. I own ten of them in, you know, where I live in upstate New York. And I got lots of customers coming in and I have, like, their I take credit cards and I take venmo or whatever, and they come and eat my food and I sell them food and I make a lot of money and I'm really successful, but that's it. So I'm basically a data controller for all that customer data that I kind of hang on to. I have their credit card numbers, so when they come in and they order their food again, they can do it automatically, they can place orders online, et cetera. 


00:44
Adam Stofsky
So I'm a data controller for that information, and I have a salesforce account or a QuickBooks account, and I have some cloud storage and maybe I have a bunch of other SaaS products, but I'm just really a data controller. And all of those companies are my data processors for this data, all my customer data. Is that a good. 


01:10
Shannon Yavorsky
Yeah. And you would need to make sure that all of know services that you have, all the SaaS products that you're using to run your company, you've entered into data processing agreements with those guys to make sure that your salesforce is not using the data for any other purpose other than acting as your CRM. Similarly with payroll, that they're not using that data for any other purpose. But if you take a step back, you're in New York. So we're not thinking about there's no New York state privacy law just yet. So maybe you're outside of all of these obligations. You don't have to enter into data processing agreements with these providers. But let's say you have part of your franchise is in Connecticut and you're collecting data. 


02:02
Adam Stofsky
So this is how the Hype is going to expand. I buy 20 more restaurants in Connecticut and my business is booming. And I decide, you know what, I don't want to run all these restaurants. I'd rather franchise those out to people. And I'm going to run an app that provides those companies with kind of insights, and I'm going to also help them with their transaction processing point of sale, right? But you know what? I'm going to hang on to my ten favorite restaurants in New York. So I run ten restaurants, I got a bunch of other franchises, and I have this cool new app that takes all their data and does things so that it maybe provides recommendations, helps them process transactions, et cetera. I just totally made up this business. 


02:42
Adam Stofsky
Is this now a situation where I am a data controller for those ten restaurants where I have customers and they give me money in exchange for food and we process transactions? And I'm now a data processor for this kind of vague and coit app that I just explained, where I help other restaurants with their transactions. 


03:02
Shannon Yavorsky
Yeah. Provided you're just providing the app, you're just providing the platform, and you don't decide, oh, well, it would be know, I have all this rich customer data. I know, most people in Connecticut, it seems like if they buy a chicken sandwich, they're also buying fries and a shake. So maybe I need to use this data to help make my sales better in my ten restaurants in New York. Then you've got other things to think about there. Maybe you're not just acting as a data processor anymore by providing the app platform, but that's definitely something that you would need to think through as the platform provider. Are you just providing the platform, or do you have an intention to use that data for other purposes? 


03:48
Shannon Yavorsky
And if you want to use it for other purposes, you're going to have to think through your obligations as a controller. 


03:54
Adam Stofsky
Okay, so if you're a data controller for some data, you can potentially become a processor by changing how you use that data, is that right? 


04:02
Shannon Yavorsky
Yeah, that's right. But you would really need to go back to the people that you've sold the app to and redescribe what your services are, because then you're not like a cloud service provider anymore. You're not simply providing the services you're like. I'm providing the service, but I also want to use this data. So then you have to figure out all the Idiosyncrasies of what you need to do in order to facilitate that kind of data collection and use for your own purposes. 


04:29
Adam Stofsky
And you might be violating your contract with your right. 


04:33
Shannon Yavorsky
If you've signed a data processing agreement that know the restaurant franchiseor in New York will not use, retain, or disclose your data for any purpose other than simply providing the platform, then you're in a breach of contract situation, as well as a potential violation of the applicable state privacy laws. So lots to think through and make sure you're getting it totally right, because otherwise the company is exposed to regulatory and litigation risk. 


05:00
Adam Stofsky
Okay, great. All right, Shannon, thank you so much. 

PDFs
Audio
Share Video
Embed Video
© 2024 Briefly
Terms of Use
Privacy