Recipient Role
https://publicschema.org/vocab/recipient-role
The legal relationship between the data controller and a recipient organisation, which determines the obligations each party carries under data protection law. The distinction between processor, joint-controller, independent-controller, and sub-processor is legally material and affects which contracts are required, who bears accountability for the processing, and what rights the data subject can exercise against each party.
Aligned standards
| Standard | Equivalent | Match |
|---|---|---|
| DPV v2 | DPV v2 data processing roles | close |
| Each value maps to a DPV v2 class: processor to dpv:DataProcessor, joint_controller to dpv:JointDataControllers, independent_controller to dpv:DataController, sub_processor to dpv:DataSubProcessor. The match is close (not exact) because dpv:DataController is broader than independent_controller; DPV does not carry a dedicated class for a controller-to-controller recipient relationship. | ||
Values
| Code | Label | Standard code | Definition |
|---|---|---|---|
processor | Processor | An organisation that processes personal data on behalf of and under the instructions of the controller. The controller retains accountability for the processing; the processor acts only on documented instructions. A data processing agreement is required. DPV mapping, dpv:DataProcessor, URI, https://w3id.org/dpv#DataProcessor. | |
joint_controller | Joint controller | An organisation that jointly determines the purposes and means of processing with the primary controller. Joint controllership triggers GDPR Article 26 obligations including a documented arrangement defining each party's responsibilities. Both controllers are jointly and severally accountable to data subjects. Reference the arrangement document in joint_controller_arrangement_ref. DPV mapping, dpv:JointDataControllers (class representing the pair or group), URI, https://w3id.org/dpv#JointDataControllers. | |
independent_controller | Independent controller | An organisation that receives personal data and processes it for its own, independently determined purposes. The originating controller is responsible only for the transfer itself (ensuring a lawful transfer mechanism); the receiving organisation is independently responsible for its own processing. No data processing agreement is required, though a data sharing agreement is typically good practice. DPV mapping, dpv:DataController, URI, https://w3id.org/dpv#DataController. | |
sub_processor | Sub-processor | An organisation engaged by a processor (not the controller directly) to carry out specific processing activities on behalf of the controller. The original processor is responsible for ensuring the sub-processor is bound by equivalent obligations. GDPR Article 28(4) requires the processor to obtain prior written authorisation from the controller before engaging a sub-processor. DPV mapping, dpv:DataSubProcessor (a subclass of dpv:DataProcessor), URI, https://w3id.org/dpv#DataSubProcessor. |
Referenced by this vocabulary
- W3C DPV v2 W3C Data Privacy Vocabularies and Controls Community Group (DPVCG), 2024