We have advised many firms have on the issue of Outside Counsel Guidelines which purport to decree that the firm is a (data) processor (which has significant downsides) rather than a controller.  If there were any lingering doubt, the latest guidance from the ICO (updated December 2018), Contracts and liabilities between controllers and processors,  and the new section in the ICO’s Guide to the GDPR, What are ‘controllers’ and ‘processors’?, should assist in resolving this.

‹ Back to Publications