Some time ago, the ICO issued an action (might have been a penalty, but could be an enforcement) in which they disregarded a data processing agreement and deemed that an organisation was acting as a controller, despite the fact the agreement placed them as a processor. Can anyone point me in the right direction? I can’t for the life of me remember which action it was.
Smurf333
Emailmovers Ltd on 22nd June 2021, ere issued with an enforcement notice. The ICO as of the opinion that the company characterised itself as a processor but in the ICO’s opinion it as a controller. This was confirmed by examination of the agreement between the parties. The company was able to exercise discretion as to which parties they disclosed data to. The ICO felt that this was a decision that only a data controller could make. The ICO goes on to cite several other reasons for the decision within the Enforcement Notice. I hope the above is helpful.