An individual made an access request under Article 15 of the GDPR to an organisation they believed to be processing their personal data. Upon receipt of this request, the organisation notified the individual that it was not the data controller in this instance. The organisation advised the individual that it had referred the request to the actual data controller in line with its obligations under Article 28(3)(e) of the GDPR to assist “…the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights”. With the individual was not satisfied with the response and submitted a complaint to  the DPC.

The DPC requested documentary evidence from the organisation (data processor) which would support its assertion that it was not the data controller in this instance. The organisation provided the DPC with a copy of a data protection agreement, which explicitly detailed the organisation as the data processor and the other party as the data controller in relation to the personal data being processed in this instance. This agreement outlined in specific detail that the organisation only processed personal data upon instruction from the data controller. The DPC examined this agreement and affirmed that the organisation to which the individual submitted the access request was the data processor in this instance.

The DPC accepted that the organisation was the data processor for the personal data which had been requested in this instance and that it had complied with its obligations under both Article 15 and Article 28(3)(e) of the GDPR.