PerformanceININside Performance Marketing
PI LIVE 2019
'Processor or Controller': Awin Throws Down Gauntlet on Affiliate Network GDPR Data Handling

'Processor or Controller': Awin Throws Down Gauntlet on Affiliate Network GDPR Data Handling


“We consider that in the ordinary course of our business, Awin acts as a data controller jointly with the respective advertiser.”

Awin’s global client strategy director, Kevin Edwards, claims businesses “have to decide whether they are data processor, or data controller” ahead of the GDPR (General Data Protection Regulation).

The statement is part of a blog post in which Edwards lays out the position being taken by the affiliate network in regard to legal data-handling after the May 25 update, and the implications this will have on its advertisers.

The concept of controllers and processors is “not new under the GDPR”, says Edwards, but will have vital importance with the former facing stricter requirements over accountability.

Processor or controller?

To help define these terms, the latter refers to a party that handles personal data on behalf of a data controller and is subject to fewer obligations under the law; it could include storage of data on third-party serves, for example, or working with a data analytics provider.

Meanwhile, ‘controllers’ refer to those parties that control - rather than possess - personal data by determining its purpose and means of use, or the ‘why’ and ‘how’, as Edwards puts it, which can be determined by one party or jointly with others.  

According to the network’s own “privacy impact assessment”, Awin categorises it handling of data into the latter position. While its advertisers chiefly determine the purpose of the network’s data use, “they are the ones to determine whether or not to run an advertising campaign when participating”, while the network itself will generally determine the means of its use, such as to facilitate tracking.

“Therefore, we consider that in the ordinary course of our business, Awin acts as a data controller jointly with the respective advertiser,” Edwards states.

Joint controllers

As a joint controller, the impact here for Awin and its advertisers, and what will surely be a consideration for other affiliate networks, is that it will assume the same obligations under GDPR as its advertisers: “We will have shared responsibility in safeguarding the data we use for our tracking purposes, and will be subject to the same obligations and level of accountability before data protection authorities.

“Naturally this also means that the traditional controller-processor model will not apply within our relationship and instead Awin and its advertisers will have to regulate their relationship as joint controllers,” Edwards adds.

In efforts to formalise and clarify this arrangement, Awin has introduced a template data processing agreement which defines the network’s obligations and relationship as joint controllers. This audit will include reviewing existing agreements to ensure legal and factual accuracy under the GDPR.

Do you represent an affiliate network? How is your company readying itself for GDPR-compliance? Let us know in the comments section below, or email us your comments to

Continue the conversation

Have something to say about this article? Comment above, share it with the author @markjpi or directly on Facebook, Twitter or our LinkedIn Group.

Mark  Jones

Mark Jones

Mark manages all aspects of editorial on PerformanceIN as the company's Head of Content, including reporting on the fast-paced world of digital marketing and curating the site’s network of expert industry contributions.

Going by the ethos that there is no 'jack-of-all-trades' in performance marketing, only experts within their field, Mark’s day-to-day aim is to provide an engaging platform for members to learn and question one another, helping to push the industry forward as a result.

Originally from Plymouth, Mark studied in Reading and London, eventually earning his Master's in Digital Journalism- before making his return to the West Country to join the PI team in Bristol.

Read more from Mark

You may also like…