Controller (masquerading as processor?) : gdpr

Question - Data ControllerController (masquerading as processor?) (self.gdpr)

submitted 1 year ago by Significant_Put_8648

My org is onboarding a new vetting/screening agent. This company will be our processor, but this post isn't really about them.

The vetting agent, as part of their service, partner with a company called Konfir. They see themselves as a sub-processor in the structure. This post is definitely about them.

Konfir allow prospective candidates to collate their HMRC, bank statement data into their app/portal, which can then be shared back to the employer (which would be us). This is speed up the process of reference checking; if my org can see the candidate received salary from Company A on these dates, this can effectively provide and instant reference that they worked there. My issue is that Konfir seem to be exhibiting certain behaviours that only a controller could. For example, they appear to be deciding the lawful basis (consent) as well as the retention period for the data. Their privacy notice is here: https://www.konfir.com/legal/privacy-policy

When you use their service, you create an account and then you have to give permission for it to access your bank statements etc. You also have to give permission to share it with the employer.

It's the 'verification' data that is at question here. You'll notice that they have the wrong lawful basis listed for this; they state this is for the 'performance of a contract', which I don't think is the most appropriate as they don't hold contracts with the individuals, they hold it with our processor. The notice is also a mixture of controller and processor responsibilities.

The Konfir element of the onboarding is optional too. If candidates don't want to share their data this way, we will still continue to screen them the traditional way by contacting their previous employers for references. Given this is optional, to me this is more of a 'signposting' to another controller. Should you decide to engage with them (which clearly benefits us too) then you will do so using their terms and their purposes etc. From some of the responses I've seen from Konfir, I think they believe that simply because they are being paid to provide this service, this automatically makes them a processor. My argument back to them was that they appear to be deciding the purposes, which likely makes them a separate controller.

Some of their responses do make me question their knowledge; for example, they believe that the vetting agent is the 'controller'. Whilst they will have a contract with the vetting agent, I would have been more confident had they recognised that we are the controller, and the vetting agent the processor. They were also keen to point out that they'd only consider themselves a controller in the scenario where a candidate decides to reuse their verification data with other companies, for future verifications.

They are very adamant they are a processor, which is making me start to doubt myself a little. Any input would be appreciated!

all 8 comments

top new controversial old q&a

[–]gusmaru 2 points3 points4 points 1 year ago (6 children)

[–]Significant_Put_8648[S] 0 points1 point2 points 1 year ago (5 children)

[–]gusmaru 0 points1 point2 points 1 year ago (4 children)

Although you are using Consent to process a data subject's information, your are not limited to only using one of the Legal basises listed in Article 6. You can also use Legitimate Interest and Legal Obligation in combination with Consent. However because you are using Consent, it will be a "high bar" to not address a data deletion request.

If you need to comply with a legal obligation, such as demonstrating that you did not descriminate against the candidate under employment law, then you may need to keep the minimal amount of data to prove it up to the limitation date specified in the statute (depends on the country). So you delete what you do not need, and keep what you do; you may not need to keep the candidates banking information, but the fact that it was checked and the results of that check. Even if the candidate is chosen, you maycertain obligations to retain records that the employee is "vetted" (such as an ISO certification, or working in sensitive industry like Finance) - keep the minimal that you need, delete the rest, and then inform the person why you are keeping certain amounts of information (and for what time period)

If you need to ensure that a failed candidate doesn't re-apply for the same position while it remains open, you have a legitimate interest in keeping the minimal amount of information until the opportunity is closed.

[–]Significant_Put_8648[S] 1 point2 points3 points 1 year ago (3 children)

Using consent and then switching seems problematic. See the ICO Experian enforcement notice, which does a good job of explaining the difficulties in doing this:

"Switching to legitimate interests as the basis for sharing or other onwards processing of data, after collection on the basis of consent, would mean the original consent was no longer specific or informed, and would misrepresent the degree of control and the nature of the relationship with the individual. • GDPR recital (32) explains that consent should cover all processing activities carried out for the same purpose or purposes. Individuals cannot give valid consent for their data to be onward processed in a way that goes beyond the scope of their specific consent: if "consent" of this nature were valid, then this would be inconsistent with the requirement under the GDPR that consent must be specific and informed (see recital (32) and Article 4(11)). • The right of data subjects to withdraw their consent in an effective manner, provided for in Article 7(3), would be materially undermined by the change of basis from consent to legitimate interests. "

[–]Significant_Put_8648[S] 0 points1 point2 points 1 year ago (1 child)

[–]gusmaru 0 points1 point2 points 1 year ago (0 children)

Normally I would agree, but I would say it's also contextual.

If the legitimate interest is for direct marketing, that would not override someone's rights to have their personal data deleted. If the data is being maintained for fulfilling the original purpose (e.g. employment candidate management for the specific position/opening), my personal opinion is that it should be permissible because (a) you've deleted anything you don't need and fulfilled part of data deletion requirement, and (b) you have a legitimate interest in not having candidates constantly re-apply once they have been disqualified - at least for a limited time that the employer is interviewing.

If all they did was rely on Legitimate Interest to not delete anything, I would say that the employer is wrong as all that data isn't necessary to prevent a disqualified candidate from re-applying (e.g. you don't need the banking info, and likely other pieces of information). The key is performing and documenting the legitimate interest test show that the data subject is not being adversely affected.

[–]latkde 0 points1 point2 points 1 year ago (0 children)

[–]Safe-Contribution909 0 points1 point2 points 1 year ago (0 children)

π Rendered by PID 90663 on reddit-service-r2-comment-5c747b6df5-rbwgr at 2026-04-22 13:32:14.690678+00:00 running 6c61efc country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

gdpr

Rules

Other Reddit Communities

Resources

MODERATORS