CIPP/E Study Guide
Ch 18.2.3–18.2.5 - When a supplier crosses the line

Suppliers as controllers, AI, and chains of processors

A supplier that goes beyond its mandate and acquires a real role in determining the purposes or essential means of processing becomes a controller in its own right (Article 28(10)). But the EDPB accepts a processor may still exercise discretion over technical and organisational means while remaining a processor. AI development is the hardest test: the supplier must show its processing is still on behalf of clients, not for its own purposes. Modern outsourcing also forms chains of sub-processors, where obligations must be flowed down and the customer kept informed of the main elements of the structure.

Suppliers often make some decisions about processing because they have greater expertise. But under Article 28(10), a processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a controller, not a processor, for that processing. The EDPB notes a processor may still have discretion over the most suitable technical and organisational means without becoming a controller.

On balance, a supplier is more likely than not to remain a processor unless it is obvious its decisions exceed the scope of the contract. The sharpest test is AI development: the supplier must be able to argue that processing across many clients is still for the benefit of and on behalf of those clients, not for its own purposes. A crucial factor is whether the supplier has its own interest in the underlying personal data beyond serving clients.

Modern outsourcing forms chains: a group procurement entity hires a prime contractor, who subcontracts to group entities or third parties as sub-processor|sub-processors. Obligations are flowed down the chain. The customer need not agree every detail of the means, but the EDPB says the customer must be informed of at least the main elements of the processing structure so it stays in control. The CNIL Guide for Processors stresses the processor must ensure the sub-processor gives the same sufficient guarantees.

The line between processor and controller

Deciding technical and organisational means = still a processor. Deciding the purposes or the essential means = becomes a controller under Article 28(10).

Key terms - quick answers

What is “Article 28(10)”?
GDPR provision under which a processor that determines the purposes or essential means of processing is treated as a controller for that processing.
What is “Sub-processor”?
A processor engaged by another processor, which does not have a direct contractual relationship with the ultimate customer.
What is “CNIL Guide for Processors”?
France's DPA guide (2017) emphasising that processors must assist controllers and ensure sub-processors give the same guarantees.
What is “Essential means”?
Core decisions about how processing happens; deciding these (not just technical means) tips a processor into being a controller.