MaxMind may operate as either a Data Controller or Data Processor depending on the circumstances.
With respect to the personal data of its customers, MaxMind generally is a Data Processor and MaxMind’s customer is the Data Controller. The MaxMind customer, the Data Controller, determines the purposes and means of the processing of personal data. Specifically, MaxMind’s customer decides what personal data to share with MaxMind in order for MaxMind to provide the customer with robust risk score information, certain licensed data, the ability to flag potentially fraudulent activity, and other services as purchased by the customer. In these situations, MaxMind, as the Data Processor, processes personal data on behalf of the MaxMind customer Data Controller at that company’s direction.
MaxMind also operates as a Data Controller with respect to certain of its services and/or databases. When MaxMind combines personal data from different customers, like many kinds of analytics services, it may do this both as a Data Processor at its customers’ instruction and as a Data Controller itself for the purpose of providing services to all of its customers. For example, MaxMind may process and aggregate some of the personal data that a customer shares with MaxMind in order to make that personal data part of another database for one or more other services provided to MaxMind customers. The personal data shared may be combined with personal data elements chosen and provided by other customers.