When enterprise customers submit data through Writer, Writer is acting as a data processor following the customer's instructions, while the customer remains legally responsible for that data under privacy law.
This analysis describes what Writer's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This allocation of legal roles has significant implications for enterprise compliance teams: it means the enterprise customer bears primary obligations under GDPR for lawful basis, data subject rights, and privacy notices related to the data they submit to Writer.
Interpretive note: The precise scope of what constitutes 'Customer Data' versus other data categories processed by Writer may vary by contract and use case, affecting the boundaries of the controller/processor allocation.
Enterprise customers are responsible for ensuring their use of Writer complies with applicable privacy laws, including obtaining any necessary consents from employees or end users whose data is submitted to the platform.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Writer has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"With respect to Customer Data that enterprise customers submit to Writer's Services, Writer acts as a data processor on behalf of the customer, who acts as the data controller. The customer is responsible for ensuring they have the appropriate rights and permissions to submit such data to Writer.— Excerpt from Writer's Writer Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28, which governs processor agreements and requires a written contract specifying the subject matter, duration, nature, and purpose of processing, as well as obligations and rights of the controller. UK GDPR contains equivalent requirements. The allocation of controller status to the enterprise customer places GDPR Articles 13 and 14 notice obligations, Article 6 lawful basis obligations, and Articles 15-22 data subject rights response obligations on the customer. GOVERNANCE EXPOSURE: High for enterprise customers. Organizations subject to GDPR or UK GDPR that deploy Writer must ensure a compliant DPA is in place, that their privacy notices cover processing by Writer as a sub-processor, and that they have documented their lawful basis for submitting employee or customer data to Writer's platform. Failure to do so creates direct regulatory exposure for the enterprise customer as controller. JURISDICTION FLAGS: EU and UK organizations face the highest exposure given GDPR Article 28 requirements. California CPRA-regulated businesses should ensure a service provider agreement is in place with Writer, as the CPRA imposes similar written agreement requirements for service providers. Canadian organizations under PIPEDA should assess whether outsourcing notification obligations apply. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams must obtain and execute Writer's DPA before submitting personal data to the platform. The DPA should specify sub-processor lists, breach notification timelines (GDPR requires 72-hour notification to supervisory authority), data deletion timelines, and audit rights. The policy's statement that the customer is responsible for having appropriate rights to submit data also creates potential indemnification exposure if data is submitted without proper authorization. COMPLIANCE CONSIDERATIONS: Organizations should update their data processing records of activities (GDPR Article 30) to include Writer as a processor, review and update privacy notices to reference Writer's processing, confirm DPA execution, and assess whether existing data subject consent or legitimate interest assessments cover the submission of data to Writer's platform.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This allocation of legal roles has significant implications for enterprise compliance teams: it means the enterprise customer bears primary obligations under GDPR for lawful basis, data subject rights, and privacy notices related to the data they submit to Writer.
Enterprise customers are responsible for ensuring their use of Writer complies with applicable privacy laws, including obtaining any necessary consents from employees or end users whose data is submitted to the platform.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Writer.