Data Controllers and Processors – Which are we?
Data protection laws (including the GDPR and UK Data Protection Acts) define two important roles: Data Controller, and Data Processor. A data controller is an entity (an organisation or person) that has control and ownership of data. A data processor is an entity that accepts data from a controller and performs operations on it on behalf of the controller, but without any ownership of the data itself – that remains with the controller.
Smartmessages (or to be more precise Synchromedia limited, the owner of Smartmessages) performs both of these distinct roles in two different situations.
When you sign up and log in to your Smartmessages account, we are your data controller – we own the data relating to your Smartmessages account, and any issues you want to raise (e.g. to alter or delete data) we will provide processes (manual or automated) to allow you to do that.
Quite separately, we also act as a data processor for you – you provide mailing lists and templates, which we use on your behalf to provide the subscription handling, email sending, and tracking services that we are contracted to perform for you. We have no ownership over your subscriber data whatsoever; it’s your data, you own it, and in this role, you are the data controller for your own subscribers.
This might seem like an obvious distinction, but it’s not always handled in the way you’d expect. Some very popular ESPs (Email Service Providers), particularly those in the US, claim to be the controller for subscriber data, and so when you upload a list, that data then belongs to them, and they are then free to do what they like with it, including sending their own marketing messages to it, sharing with a long list of third parties, and selling the list on to anyone they like. Needless to say, this unfair use is not compliant with GDPR, and is not something we would ever do anyway.
There are some less overt variations on this kind of abuse, for example it’s common for these rogue ESPs to use third-party tracking (using cookies and scripts, often hundreds at a time) on their subscribe and unsubscribe pages, so they collect and share data about your subscribers without your or the subscriber’s consent. Our subscribe and unsubscribe pages are (of course) cookie and tracker-free.