A "data intermediary" is defined in the Personal Data Protection Act 2012 ("PDPA") as an organization which processes personal data on behalf of another organization but does not include an employee of that organization. In practice, it generally refers to a third party that executes a function for your organization as though it were part of your organization. An example of this is a web hosting service such as Amazon Web Services ("AWS").
It's clear that organizations have data protection obligations as data controllers because they are responsible, at the very least, for the personal data of their employees. It's also clear that organizations acting as data intermediaries only need to comply with the protection and retention obligations under the PDPA in respect of the personal data they process on behalf of the instructing organization.
But it's also increasingly looking (to me at least) as though a data intermediary may be both a data controller and a data intermediary in respect of the same personal data, depending on what's being done with the personal data. The Personal Data Protection Commission ("Commission") has not addressed this issue yet, but allow me to explain why I think this must be the case.
Going back to AWS as an example, and indeed, the reason I picked it: AWS provides web hosting services. AWS allows organizations to store personal data on cloud-based server, and make that data accessible via the internet, such as through websites. An organization that engages AWS to provide cloud-based web hosting engages AWS in its capacity as a data intermediary - AWS has no control over what personal data is uploaded to its server, nor does it deal with the personal data in any way beyond simply storing it, as is its function. The organization that engages AWS to provide the web hosting services is the data controller in respect of that personal data.
However AWS has physical servers supporting its cloud-based services around the world, including the US, Brazil, Europe, East Asia, Australia and Singapore. To provide its cloud-based services, AWS transfers personal data out of Singapore to whichever country/countries physically store(s) the data. The AWS client has no control over which country the personal data is being transferred to.
Therefore, although AWS, in its capacity as a service provider, acts as a data intermediary in respect of its client's personal data, it acts as a data controller in respect of that same personal data in relation to AWS's own internal business processes.
Service providers who find themselves in similar scenarios should be aware that they may ultimately need to comply with 2 sets of obligations in relation to that one set of personal data.
The first is the complete set of data protection obligations that a data controller must comply with, and this arises in relation to how the service provider treats the personal data internally, vis a vis its own work processes. The second set comprises only the protection and retention obligations that a data intermediary must comply with, and this arises in relation to how the service provider treats the personal data externally, i.e.. in its capacity as a service provider processing the personal data for a client.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.