We have a municipality who has outsourced the task to deliver food and laundry to people who need assistance. The municipality do not tell us what information we need to process however it is necessary for us to keep list of
name, address, service, food allergies, and sometimes information regarding health, for example hear poorly, so we know to ring the bell many times and that it might take a while.
We need the information to delivery our service to the client and to secure that the right service is delivered to the right person. Processing of health data is for the municipality ok due to social services laws.
So are we a processor or controller and based on what?
If I were your DPO I would argue that you should setup a processor agreement with the municipality so they remain controller and you are a processor. Providing you only intend to use the data for providing the specific service and not any other purposes. You agree what data is necessary, Most will be passed to you by the controller (municipality) and some you will need to collect on ‘instruction’ from the controller.
However it is likely the municipality don’t want the responsibility and probably would not have awarded the contract to a company that wanted to setup an agreement – so I would say you are a processor of the information given to you and a controller of the information collected – do NOT give the information collected to the municipality.
I’d argue you’re a controller, you’re determining the purpose for collecting the data (eg. not killing people by accidently inducing anaphylaxis*) and presumably a secure means of processing too. Commissioning a service does not simply make the commissioner a controller of the data collected for the commissioned service. It does behove the commissioner to share data with you (which shouldn’t be an issue legally) for you to provide the service.
*presumably this even extends to the detergents used to laundry too.