Skip to content

A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).

While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on behalf of a client, in most situations in which law firms are retained the firm determines (either independently or jointly with its client) the type of data that should be collected, how it will be used, and how it will be processed. That level of control would likely be viewed by most supervisory authorities as indicating that a law firm is functioning as a controller.