Databricks · Databricks Privacy Notice

Controller vs. Processor Distinction for Platform Data

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

If your employer or another company uses Databricks to process your data, Databricks is not responsible under this privacy policy — the company that hired Databricks is. You need to contact that company, not Databricks, about your data rights.

Consumer impact (what this means for users)

If your personal data is processed within a Databricks customer's platform environment, this privacy notice does not apply to you — you must contact the enterprise customer directly, which may be your employer or a third-party service provider, to exercise rights like deletion or access.

Cross-platform context

See how other platforms handle Controller vs. Processor Distinction for Platform Data and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This clause can leave individuals without a clear path to exercise their privacy rights if their data is processed through an enterprise customer's Databricks environment, creating a potential accountability gap.

View original clause language
When Databricks acts as a service provider/data processor, our collection and use of personal information on behalf of our customers (who act as data controllers/businesses) is governed by our agreements with those customers and is not subject to this Privacy Notice. If you have questions about the processing of your personal information in connection with a Databricks customer's application or service, please contact the applicable Databricks customer.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: This provision implicates GDPR Art. 28 (processor obligations), Art. 4(7)/(8) (controller/processor definitions), Art. 26 (joint controllers), and CCPA §1798.140(ag) (service provider definition). Under GDPR, this clause places responsibility on the data controller (Databricks' enterprise customer) to fulfill data subject rights, but Databricks as processor must contractually assist per Art. 28(3)(e). The Irish DPC and CPPA both have enforcement authority over failures in this structure.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC has jurisdiction over deceptive or unfair data practices where the controller/processor distinction is used to obscure accountability from consumers
    File a complaint →

Provision details

Document information
Document
Databricks Privacy Notice
Entity
Databricks
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004407
Document ID
CA-D-00458
Evidence Provenance
Source URL
https://www.databricks.com/legal/privacynotice
Wayback Machine
View archived versions →
SHA-256
c2601098042d922e6c540b44624976b336394366f0003fd04e5ca853cfbadda2
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Databricks | Document: Databricks Privacy Notice | Record: CA-P-004407
Captured: 2026-04-30 10:03:00 UTC | SHA-256: c2601098042d922e…
URL: https://conductatlas.com/platform/databricks/databricks-privacy-notice/controller-vs-processor-distinction-for-platform-data/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document