We have a municipality who has outsourced the task to deliver food and laundry to people who need assistance. The municipality do not tell us what information we need to process however it is necessary for us to keep list of
name, address, service, food allergies, and sometimes information regarding health, for example hear poorly, so we know to ring the bell many times and that it might take a while.
We need the information to delivery our service to the client and to secure that the right service is delivered to the right person. Processing of health data is for the municipality ok due to social services laws.
So are we a processor or controller and based on what?