Skip to content

It depends.

Many lawyers (and clients) incorrectly assume that attorneys must be processors because they are service providers of their clients. In some situations, a service provider has a role in determining the purposes and means of processing; when that occurs the service provider is, like its client, considered a “controller” or a “joint controller.”

The Article 29 Working Party took the position that if a service provider has a “traditional role and professional expertise” that required it to determine the purpose and means of processing, that independent expertise could convert the service provider into a controller. They specifically noted that in situations in which a “barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case” the barrister is a controller.[1] Their logic appears to be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court. Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller.

The UK ICO – the supervisory authority for the United Kingdom – reached a similar conclusion in the context of discussing whether a solicitor would be a processor or a controller. The ICO suggested that a solicitor/attorney should be considered a controller in the following situations:

  • Advising clients as to legal rights vis-a-vis data subjects. An attorney should be considered a controller when he or she receives personal data about a third party in order to advise the client concerning its rights vis-a-vis the third-party data (e.g., a client shares personal data about a former salesman that stole client information).[2]
  • Client defers to attorney concerning use of data. An attorney should be considered a controller when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing a representation.[3]

The view of the ICO was echoed by The Bar Council of England and Wales, which stated in a memorandum that “[f]or the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not data processors.”[4]

In Germany, the national Council of Data Protection Commissioners (Datenschutzkonferenz) have taken a similar approach and confirmed that attorneys are acting as controllers when processing personal data of their clients.[5]

The guidance of the Article 29 Working Party, the UK ICO, the UK Bar Council, and the German Council of Data Protection Commissioners leaves open the possibility that in some situations an attorney could, however, act as a processor and not a controller. For example, if a client retained a law firm for the express purpose of processing data (e.g., conducting document review or hosting a document room), and provided specific direction and control regarding how the data was to be processed (e.g., the client selected or approved the type of software that would be used during a document review and how the documents would be stored and processed) an argument could be made that the attorney is, in fact, functioning as a processor and not as a controller. Even in situations in which it appears that a client has provided specific directions and retains a large degree of control, a law firm may still find itself acting as a controller with regard to data if it is required to process data outside of those client instructions in order to comply with regulatory or professional obligations.[6] For example, an argument could be made that a law firm acts as a controller of data if it is required to (i) carry out internal conflicts and other regulatory checks on new client matters or to undertake appropriate client due diligence in accordance with anti-money laundering laws; (ii) subject to duties of confidentiality and privilege, cooperate with regulators and other public authorities (including by responding to regulatory requests for information; undertaking internal investigations and complying with reporting and other professional obligations), or (iii) disclose personal data over a client’s objection to a court during the course of litigation.


[1] Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).

[2] UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 12-13.

[3]Id.

[4]See Memorandum issued by UK Bar Council on April 2018 (last viewed 8 October 2020).

[5]See Datenschutzkonferenz, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DS-GVO (16 January 2018), p.4.

[6] For example, while a barrister that is on secondment at a solicitor’s firm might in some instance be considered a processor of the solicitor, The Bar Council of the UK has cautioned that the barrister may still need to “exercise their independence” either to perform their work or to comply with their obligations under their professional code of conduct. As a result, even while under secondument a barrister may still be considered a “data controller.” See Memorandum issued by UK Bar Council on April 2018 (last viewed 8 October 2020).

Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.