The Lawyer as Data Controller

Controller or Processor? The Key Distinction

Every law firm processes its clients' personal data, but the legal classification of that processing depends on context. In most cases, the firm acts as a data controller (Art. 4.7 GDPR) because it determines the purposes and means of processing: it decides what data to collect, how to store it, and how to use it.

However, there are situations where the firm may be a data processor (Art. 4.8 GDPR). For example, when a company outsources data protection complaint handling and the firm processes data following the client's instructions without deciding the purposes. The distinction is fundamental: the controller bears the primary compliance burden, while the processor always acts under documented instructions.

Legal Bases for Processing (Art. 6 GDPR)

To process personal data lawfully, you must rely on at least one of the six bases in Article 6:

1. Consent (Art. 6.1.a): Must be free, specific, informed and unambiguous. In the law firm context, it is rarely the most appropriate basis for core processing due to the inherent imbalance in the lawyer-client relationship.
2. Contract performance (Art. 6.1.b): The standard basis for processing client data under the engagement letter or legal services contract.
3. Legal obligation (Art. 6.1.c): Applies, for example, to document retention required by Anti-Money Laundering legislation (client identification, 10-year retention).
4. Vital interests (Art. 6.1.d): Exceptional in legal practice.
5. Public interest (Art. 6.1.e): Relevant for court-appointed defence or legal aid.
6. Legitimate interest (Art. 6.1.f): May support sending commercial communications to existing clients or managing conflicts of interest, always after a documented balancing test.

Records of Processing Activities (Art. 30 GDPR)

Any firm with 250 or more employees, or that processes special categories of data on a non-occasional basis, must maintain records of processing activities. In practice, the Spanish DPA (AEPD) recommends that all firms maintain them regardless of size.

The record must include at minimum: controller and DPO contact details, processing purposes, categories of data subjects and personal data, recipient categories, planned international transfers, retention periods, and a general description of security measures.

Practical tip: Organize the record by areas of activity (individual clients, corporate clients, employees, suppliers, marketing, CCTV where applicable).

Data Subject Information (Arts. 13-14 GDPR)

On first contact with a potential client, you must provide in concise, plain language: controller identity, processing purposes and legal basis, recipients, retention period, data subject rights (access, rectification, erasure, portability, restriction, objection), and the right to lodge a complaint with the AEPD.

The most common approach is to include this in the engagement letter and additionally publish a privacy policy on the firm's website. If you receive data from third parties (not from the data subject), Article 14 applies and you must inform within a reasonable time (maximum one month).

Processor Relationships (Art. 28 GDPR)

When the firm contracts services involving access to client personal data (cloud hosting, practice management software, digitization services, accounting), it must execute a data processing agreement covering: subject matter and duration, nature and purpose, data types and categories of data subjects, processor obligations (confidentiality, security measures, breach notification, cooperation, data return or destruction upon termination), and prohibition of subprocessing without prior written authorization.