The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world.  Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: Are law firms considered “processors” or “controllers” of the personal data that they receive from clients?

Answer: It depends.

Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients.  As is discussed in Q 159 in some situations a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”

The Article 29 Working Party has taken the position that if a service provider has a “traditional role and professional expertise” that requires it to determine the purpose and means of processing, that independent expertise may convert the service provider into a controller.  They specifically noted that in situations in which a “barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case” the barrister is a controller.¹ Their logic appears to be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court.  Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller. 

The UK ICO – the supervisory authority for the United Kingdom – reached a similar conclusion in the context of discussing whether a solicitor would be a processor or a controller.  The ICO suggested that a solicitor/attorney should be considered a controller in the following situations:

• Advising clients as to legal rights vis-a-vis data subjects. An attorney should be considered a controller when he or she receives personal data about a third party in order to advise the client concerning its rights vis-a-vis the third party data (e.g., a client shares personal data about a former salesman that stole client information).²

• Client defers to attorney concerning use of data. An attorney should be considered a controller when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing a representation.³

The guidance of the Article 29 Working Party and the ICO leaves open the possibility that in some situations an attorney would, however, act as a processor and not a controller.  For example, if a client retained a law firm for the express purpose of processing data (e.g., conducting document review), and provided specific direction and control regarding how the data was to be processed (e.g., the client selected or approved the type of software that would be used during a document review and how the documents would be stored and processed) an argument could be made that the attorney is, in fact, functioning as a processor and not as a controller.

1. Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).

2. UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 12-13.

3. Id.

[View source.]