What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
What is the consequence if a processor makes an independent decision regarding the purposes and means of processing it carries out on behalf of a controller?
If a processor makes an independent decision regarding the purposes and means of processing, it steps beyond its role as a processor and assumes the role of a controller for the specific processing activity. This means that the processor then takes on the legal responsibilities and obligations of a controller in respect of that processing.
If a processor makes independent decisions regarding the purposes and means of processing it carries out on behalf of a controller, it steps beyond its role as a processor and takes on the role of a controller for that specific processing activity. This shift in roles means that the processor assumes the legal responsibilities and obligations of a controller for those decisions.
Agree - If a processor acts outside of a controller's instructions in such a way that it decides the purpose and means of processing, then it will be a controller and will have the same liability as a controller. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi/responsibilities-and-liabilities-for-processors-in-their-own-right/#:~:text=If%20a%20processor%20acts%20outside,same%20liability%20as%20a%20controller.
In such a case, the controller may be held accountable for the actions of the processor and will need to provide evidence that the unauthorized processing had a negative impact on the parties involved.