Controller and Processor

Usually, a chatbot software provider should act as a Data Processor, but it depends on the level of the autonomy it has in the way it establishes the purposes and means of processing. According to European Data Protection Board’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR, “the role of a processor does not stem from the nature of an entity that is processing data but from its concrete activities in a specific context. The nature of the service will determine whether the processing activity amounts to the processing of personal data on behalf of the controller within the meaning of the GDPR”. If the chatbot software provider has autonomy in the way it is processing personal data (for eg it decides to analyze the content of the conversations to extract key information), it is a data controllers. If it can define a framework in which it can operate by obeying clear personal data processing instructions given in the service contract and in the data processing agreement, it can act as Data Processors.  

Please consult these links as well:

• Article 28 GDPR – Processor: https://advisera.com/gdpr/processor/
• European Data Protection Board’s Guidelines 07/2020 on the concepts of controller and processor in the GDPR: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-072020-concepts-controller-and_en
• EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/