+49(0)202 / 9422900 Phone
26.03.2026

Consultants, Experts, and the GDPR: Data Processors or Independent Data Controllers?

Companies, insurance providers, and government agencies regularly hire external experts and consultants—such as medical experts, IT forensic specialists, technical experts, or psychological experts. In practice, this often raises the question:

Are appraisers and experts considered data processors or independent data controllers under the GDPR—and what implications does this have for data protection, data subjects’ rights, and the right to erasure?

This article explains in simple terms how data processors are classified in accordance with the GDPR, what role they play in data protection, and what this means for requests for erasure under Article 17 of the GDPR.

1. Basic Concepts Under the GDPR: Data Controller and Data Processor

For the classification of experts under data protection law, the distinction between the controller and the processor is key:

  • Data Controller (Art. 4(7) GDPR)
    The data controller determines why (purpose) and how (means) personal data is processed. The data controller is the primary point of contact for data subjects, bears the risk of data protection breaches, and must fully comply with the requirements of the General Data Protection Regulation (GDPR).
  • Data processor (Art. 4(8), Art. 28 GDPR)
    A data processor processes personal data on behalf of the controller and in accordance with the controller’s instructions. The data processor does not pursue its own purposes but supports the controller—for example, as an IT service provider, cloud provider, or hosting provider.

The classification of appraisers and experts under data protection law therefore depends on who determines the purposes of the data processing and the extent of the appraiser’s own discretion.

2. When are auditors considered processors under the GDPR?

An expert acting as a data processor is primarily considered when:

  • the appraiser acts solely in accordance with the client’s (company, insurance company, government agency) specified objectives,
  • the client specifies in detail which data is to be processed and for what purpose,
  • the expert has no independent professional or legal obligations regarding documentation or record-keeping,
  • the assessor is essentially an “extension” of the person in charge.

Typical scenarios:

  • An IT service provider prepares a technical report on IT security and processes personal data solely for the purpose of auditing a company’s IT systems.
  • An external service provider conducts standardized audits and reports exclusively to the client company.

In such cases, there are strong grounds for classifying the expert as a data processor under data protection law, in accordance with Article 28 of the GDPR. In practice, this means:

  • The client remains the controller pursuant to Article 4(7) of the GDPR.
  • A data processing agreement (DPA) pursuant to Article 28 of the GDPR must be concluded between the client and the expert.
  • Data subjects' rights (e.g., the right to access, erasure, and rectification) are primarily fulfilled by the client.

3. When are data processors considered data controllers under the GDPR?

In many cases, however, appraisers and experts are controllers in their own right within the meaning of Article 4(7) of the GDPR. This applies in particular when they:

  • decide for themselves what data is collected and processed,
  • conduct an independent expert assessment,
  • are subject to their own legal or professional documentation and retention requirements,
  • must not act solely in the interest of a single client.

Examples:

  • Court-appointed experts: They work on behalf of the court, determine for themselves what information is necessary for the expert opinion, and prepare an independent expert report.
  • Medical experts for private or public health insurance companies: They collect health data, prepare medical reports, and are often subject to specific medical documentation requirements.
  • Occupational health experts and psychological aptitude assessments: These experts independently select methods and tests and prepare a professionally independent report.
  • IT forensics service provider with a customized investigation approach: You decide which log data, systems, and documents to analyze in order to investigate security incidents.

Many data protection authorities generally regard independent professionals with their own professional responsibility—such as doctors, lawyers, tax advisors, and experts—as independent data controllers rather than mere data processors.

It is therefore important for companies, insurance providers, and government agencies to note:
If such experts are mistakenly treated as “data processors” and corresponding Article 28 agreements are entered into, this may result in data protection risks and complaints from supervisory authorities.

4. Joint responsibility between the client and the expert

In some situations, the data controller and the data processor jointly determine the purposes and means of processing personal data. In such cases, joint controllership under Article 26 of the GDPR may apply.

Examples:

  • joint platforms involving companies and experts,
  • collaborative research projects,
  • standardized assessment programs with jointly defined processes.

In that case:

  • A joint controller agreement must be concluded in accordance with Article 26 of the GDPR.
  • Data subjects must be clearly informed about who is responsible for what and whom they can contact regarding their rights (right of access, erasure, restriction).

5. Rights to erasure under Article 17 of the GDPR for consultants and experts

Whether an entity is classified as a data processor or a data controller has a direct impact on requests for erasure from data subjects (Art. 17 GDPR).

5.1. Requests for erasure when the processor is a data processor

If the processor is a processor under Article 28 of the GDPR:

  • The primary point of contact for the request for erasure is the client (e.g., a company, insurance provider, or government agency) as the data controller.
  • As a general rule, the data processor may only delete or block data upon instruction from the data controller.
  • The controller verifies whether the conditions for the right to erasure under Article 17(1) of the GDPR are met or whether exceptions under Article 17(3) of the GDPR apply (e.g., statutory retention obligations, legal claims).
  • The processor is required to assist the controller in fulfilling the rights of data subjects.

Practice: If a request for deletion is received directly by the evaluator, the evaluator should forward the request to the person in charge and inform the affected individual accordingly.

5.2. Requests for deletion when the expert is the data controller

If the assessor is the data controller, they must independently review requests for erasure in accordance with Article 17 of the GDPR:

  1. Requirements for deletion
    Deletion may be considered, in particular, if:
    • the data is no longer required for the original purpose of the assessment,
    • consent has been withdrawn and there is no other legal basis,
    • the data was processed unlawfully.
  2. Typical grounds for not erasing data immediately (Art. 17(3) GDPR)
    In practice, experts often cite the following reasons for not deleting data completely and immediately:
    • Legal retention requirements (e.g., under tax and commercial law, professional regulations, and medical documentation requirements).
    • Asserting or defending legal claims (Art. 17(3)(e) GDPR): In the event of a dispute, experts must be able to demonstrate how they arrived at their conclusion.
    • Procedural requirements for expert opinions in court proceedings.
  3. Alternative under data protection law: Restriction of processing (Art. 18 GDPR)
    If complete erasure is not (yet) permitted, restricting processing is often a viable option:
    • Data is locked internally,
    • Access is limited to a few people,
    • Use only for narrowly defined purposes (e.g., legal defense, compliance with retention obligations).

Data subjects are entitled to a transparent explanation of why the request for erasure has been partially or fully denied and on what legal basis the data will continue to be stored.

6. Data Protection Practices for Businesses, Insurance Companies, and Government Agencies

For companies, insurance providers, and government agencies, the correct classification of consultants and experts under data protection law is of strategic importance:

  • The following should be clarified when hiring experts:
    • Does the appraiser act as the responsible party, or
    • Is he acting as a data processor under Article 28 of the GDPR?
  • The following points must be observed, as the expert is solely responsible:
    • tailored privacy notices for data subjects,
    • clear procedures for handling requests for information and deletion,
    • if applicable, information indicating that affected parties may also exercise their rights directly with the expert.
  • When the expert processes an order, the following is required:
    • Entering into a data processing agreement in accordance with Article 28 of the GDPR, with clear provisions regarding access, the right to issue instructions, technical and organizational measures (TOM), data erasure, and support for data subjects’ rights.

Incorrect classification of data processors—such as treating them as data processors across the board even though they are actually data controllers in their own right—can lead to GDPR violations, fines, and issues during supervisory audits.

7. Legally sound classification of experts – our consulting services

GoldbergUllrich Rechtsanwälte PartG mbB is a law firm specializing in IT law, data protection law, and compliance, serving clients both nationwide and internationally. We assist companies, insurers, and government agencies, particularly in the following areas:

  • the legal classification of consultants and experts under data protection law (data processors vs. independent data controllers, joint controllership),
  • the drafting and review of data processing agreements (Art. 28 GDPR) and Article 26 agreements on joint controllership,
  • the development of practical data protection strategies for handling medical reports, IT forensic reports, technical expert reports, and psychological reports,
  • the creation and optimization of privacy notices and internal processes related to data subjects' rights (access, erasure, restriction of processing),
  • assistance with inquiries or audits by data protection supervisory authorities regarding consultants and experts.

If you would like to clarify how your appraisers and experts should be classified in accordance with the GDPR and how to establish legally compliant processes for requests for erasure under Article 17 of the GDPR, we would be happy to assist you.

Michael Ullrich, LL.M.

Michael Ullrich, LL.M.

Attorney-at-law, Partner
Specialist attorney for industrial property law
Specialist attorney for information technology law

+49 (0) 202 - 9422900
info@goldberg.de

Last posts

Archive