GCC Build OSv0
/api
Home/bootminds.legal/decisions/legal.d.dpa_controller_processor_posture

Set the GCC's controller / processor posture for group personal datalegal.d.dpa_controller_processor_posture

P0 GCC

Summary

Designation drives every downstream data-protection obligation. Conservative bet for an internal-shared-services GCC is processor; deviation needs articulated reasoning. Excludes PDPL-specific controls (Phase 1B).

Rationale prompt skeleton

Narrative should distinguish: (a) which data flows fall into which posture (recommend a table in the rationale); (b) where intra-group agreements are needed (Article 26 joint-controller / SCC / BCR); (c) any DPIA triggers that follow from the posture; (d) the deferred Phase 1B PDPL alignment workstream this baseline will feed.

Default options (3)

processor_only Processor for all group personal data

GCC processes personal data exclusively on instruction from group / customer controllers; never determines purposes / means.

Pros
  • + Cleanest narrative for customer / group contracts
  • + Lowest direct regulatory exposure
  • + Standard sub-processor mechanics apply
Cons
  • − Limits GCC autonomy on data-driven product work
  • − Requires tight instruction logs and contract clauses
joint_controller_for_internal_data Joint controller for internal data; processor for customer data

GCC is a joint controller for group-internal HR / vendor data and a processor for customer data.

Pros
  • + Realistic for GCCs that run group HR / IT functions
  • + Permits direct decisions on retention, lawful basis, etc., for internal data
Cons
  • − Joint-controller arrangements require Article 26-style agreements
  • − Allocation of data-subject-rights responsibilities must be explicit
independent_controller Independent controller for own purposes

GCC determines purposes / means independently for at least some personal-data flows (e.g., its own employees, its own marketing).

Pros
  • + Necessary for direct hiring and own-payroll processing
  • + Accurate reflection of operational reality
Cons
  • − Adds full DPIA / records-of-processing-activities burden
  • − Demands a dedicated data-protection function inside the GCC

Default approval chain

  1. ProgrammeLead
  2. Admin

Linked evidence questions (4)

id prompt workstream
legal.q.dpa_scope_and_role For data flows between the parent / group and the GCC entity, will the GCC be a controller, joint-controller, or processor of personal data, and which DPA template applies? legal.contracts_ip
legal.q.cross_border_transfer_mechanism What cross-border transfer mechanism will be used for personal data flowing into / out of the GCC's jurisdiction (Standard Contractual Clauses, adequacy, intra-group BCRs, derogations)? legal.contracts_ip
legal.q.sub_processor_register What is the initial sub-processor register for the GCC (cloud providers, SaaS vendors, payroll processors, etc.), and what is the customer-notification process for additions? legal.contracts_ip
legal.q.dpo_appointment Is a Data Protection Officer (DPO) required by law for the GCC, and if so who is the appointee and what is their reporting line? legal.contracts_ip