The Client is the Controller of the data they own and pay for – mystery shop findings and employee performance

October 11, 2018

I have seen in some Mystery Shopping Providers’ (MSP) proposals for Data Processor Agreements (DPA) that the MSP think that they are the Controller, maybe because the MSP decides how the fieldwork should be conducted, they develop the questionnaire, scenario, guidelines, briefing etc. This is the case of the data they control, their shoppers and employees. However, the MSP is not the Controller as they are assigned by a client to collect data on their behalf. In which case the MSP is the Processor and the client is the Controller.

One of the reasons is as follows: - If they were, the MSP would need to seek active consent from all data subjects in the client’s company, as an external company (MSP in this case) could not claim to have legitimate interest to collect and store personal data without active consent from the data subjects.

When a mystery shopping provider (MSP 1) is engaged by a client to perform evaluations in the clients’ network or channels or establishments, the client is the Controller and the MSP is the Processor.

As the Controller, the client is the party that decides what data should be collected, who should have access to the data, how it should be stored and for how long etc. The client will determine if they will need the data subjects’ active consent or if the client has a legitimate interest to collect and store the data without active consent.

Furthermore, when MSP 1 needs to assign MSP 2 to perform the evaluations in e.g. another country, MSPA 1 is still the Processor and the MSP 2 is a Sub-Processor of client data.

If the Sub-Processor needs to assign further MSP 3 to perform evaluations in some part, then MSP 2 is still the Sub-Processor and MSP 3 is a Sub-Contractor.

Finally, regardless of who is the Controller and who is the Processor all parties are equally liable under the regulations for the personal and sensitive data they collect, process and store. You cannot absolve your responsibility by claiming the role of processor or pushing controller responsibility to another party.

Please check with a lawyer who is an expert in GDPR when you design your DPAs, roles and responsibilities must be clear and defined for each data subject you control and process.