0

Alice contracts with ACME insurance which sends her to their identity verification solution provider’s app/website (BCME KYC SOLUTIONS Inc). BCME’s portal asks Alice for photos of herself and other materials which they then collect and store on their systems.

If the data were collected by ACME and then stored with a third party infrastructure provider such as AWS or Azure then I expect that they would merely be processors. But as the data is collected from the subject directly by the third party itself, is BCME a controller or processor even though its contractual/business relationship is only with ACME and not Alice herself?

Improve this question
2
  • 1
    GDPR doesn't distinguish between different processing activities. Both collection and storage are just processing. The CJEU has also ruled that one can be controller even without access to the data being processed. In your scenario, both Controller and Processor roles would be possible, depending on whether BCME processes the data only as instructed, or also for its own purposes. For example, if customers create an account with BCME and can reuse their KYC verification across BCME's customers, that might indicate a Controller role.
    – amon
    Commented Jan 12 at 6:55
  • Why not post this as an answer? @amon
    – TylerDurden
    Commented Jan 14 at 20:04

0

Reset to default

You must log in to answer this question.