“When People Just Click”: Addressing the Difficulties of Controller/Processor Agreements Online

  • Sam WrigleyEmail author
Part of the Perspectives in Law, Business and Innovation book series (PLBI)


Under the new General Data Protection Regulation, data controllers are only allowed to recruit data processors who provide “sufficient guarantees” that they will comply with data protection law. However, given the wide definitions of the terms “processing,” “controller” and “processor,” it is likely that we will see many situations where at least one of those parties is not acting in a professional capacity, but still comes under the remit of the GDPR (e.g., if the personal data is being processing in a Blockchain). This creates the risk that parties will simply agree to contracts without having read or understood them, leading to significant legal liabilities for both parties and a lack of sufficient protection for data subjects. This chapter will look at how parties should arrange their contracts to provide the best possible chance of complying with data protection law. It will also consider how controllers can use technological and other non-contractual solutions to compliment those agreements while still respecting each party’s autonomy and freedoms. Finally, it will examine the regulatory strategies that can be used to allow amateur controllers to exist without unnecessarily risking data subject rights and freedoms.


Data protection Controller Processor Contracts Smart contracts 


  1. Article 29 Working Party (2010) Opinion 1/2010 on the concepts of “controller” and “processor”Google Scholar
  2. Article 29 Working Party (2018) Letter to Mr. Graux, “Subject: your letter of 7th December 2017 and a new draft code of conduct with the request of a positive opinion from the WP29 under the Data Protection Directive” Accessed 11 July 2018
  3. Bitcoin (2018) Bitcoin Developer Guide Accessed 9 Jan 2018
  4. Eurobarometer (2011) Special Eurobarometer 359: Attitudes on Data Protection and Electronic Identity in the European Union Accessed 12 Jan 2018
  5. European Parliament LIBE Committee (2013) Report on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM(2012)0011- C7-0025/2012–2012/0011(COD), A7-0402/2013 Accessed 17 Jan 2018
  6. Fiedler G (2010) Game Networking Accessed 12 Jan 2018
  7. Haapio H, Plewe D, de Rooy R (2017) Contract continuum: from text to images, comics and code. Accessed 27 Sept 2018
  8. Hon W, Millard C, Walden I (2012) Who is responsible for ‘personal data’ in cloud computing?—The cloud of unknowing. Part 2. Int Data Privacy Law 2(1):3–18CrossRefGoogle Scholar
  9. Keller M (2017) Data processor’s responsibilities under the general data protection regulation. LLM Thesis, University of Helsinki, HelsinkiGoogle Scholar
  10. Lannerö P (2013) Fighting the biggest lie on the internet: common terms beta proposal. Accessed 16 Jan 2018
  11. Raskin M (2017) The law and legality of smart contracts. Georgia Law Tech Revue 1:305–341Google Scholar
  12. Savelyev A (2016) Contract Law 2.0: “Smart” contracts as the beginning of the end of classic contract law. Russian National Research University Higher School of Economics Working Paper. WP BRP 71/LAW/2016// = 2885241. Accessed 18 Jan 2018Google Scholar
  13. UK Government Office for Science (2016) Distributed Ledger Technology: beyond block chainGoogle Scholar
  14. UK Information Commissioner’s Office. Data controllers and data processors: What the difference is and what the governance implications are Accessed 10 Jan 2018
  15. UK Information Commissioner’s Office. Where should you deliver privacy information to individuals? Accessed 16 Jan 2018
  16. Webber M (2016) The GDPR’s impact on the cloud service provider as a processor. Privacy Data Protect Law 16(4):11–14Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.Faculty of LawUniversity of HelsinkiHelsinkiFinland

Personalised recommendations