Is .legal a data processor?

Applicable from 24 October 2024

.legal believes that we do not act as a data processor in relation to the Customer’s use of our platform. We operate as an independent service provider with our own data responsibility, where the Customer acts as the data controller for their own processing activities.

1. Introduction
2. Definition
3. No processing on behalf of the Customer
4. The Customer has full control over their own data
5. Standardised service without individual customisation
6. Limited and supplementary processing by us
7. Our role as an independent data controller
Additional information

 

1. Introduction

1.1

In the context of data protection and privacy, it is crucial to clearly define the roles and responsibilities of all parties involved. At .legal, we believe that our role is distinct from that of a data processor in relation to the Customer’s use of our platform.

1.2

This document outlines our position as an independent service provider with our own data responsibility, where the Customer acts as the data controller for their own processing activities. Below, we provide detailed definitions and explanations to clarify our role and the extent of our data processing activities.

 

2. Definition

2.1

The definitions of a data controller and a data processor in Regulation (EU) 2016/679 (GDPR) Art. 4 are as follows:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”  - GDPR art. 4(7)

“’processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” - GDPR art. 4(8)

 

3. No processing on behalf of the Customer

3.1

We provide a platform where the Customer enters, manages, and processes their own data. We do not process data according to the Customer’s instructions, which is crucial for being classified as a data processor, according to GDPR Articles 28 and 29. We operate independently within the framework of our own service.

 

4. The Customer has full control over their own data

4.1

The Customer alone decides which data to collect, how it should be processed, and for what purposes. The Customer has full control and responsibility for the personal data processed through our platform.

 

5. Standardised service without individual customisation

5.1

Our platform is a standardised solution that is not tailored to the specific processing activities of individual Customers. We control the technical and certain organisational aspects of the service, but not the Customer’s data or how it is processed.
 
6. Limited and supplementary processing by us

6.1

Our processing of personal data is limited to what is necessary to deliver and improve the service (e.g., user information for login purposes). This processing is supplementary and falls under our contractual obligations between us and the Customer, as well as our legitimate interests in developing and improving our product, according to GDPR Article 6(1)(b) and GDPR Article 6(1)(f). Even though we may have technical access to data, for example, for troubleshooting or technical support, this does not make us a data processor if we do not actively process the data.

 

7. Our role as an independent data controller

7.1

We are data controllers for the personal data we collect and process in connection with Customer relationships (e.g., contact information for billing and support). We therefore operate independently and with the purposes we set ourselves, which is why we are an independent data controller, cf. EDPB Guidelines 07/2020.

 

Want to read more on the subject?

Guidance from the Danish Data Protection Agency on Data Controllers and Data Processors.

EDPB Guidelines 07/2020 and related EDPB comments.

+290 large and small companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Boligkontoret danmark
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Energi Viborg
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
arp-hansen-hotel-group-logo-1
Axel logo
qUINT Logo
KAUFMANN (1)