Difference between Data Controller and Data Processor
Read the entire article: Difference between Data Controller and Data Processor
In real-life situations, there are many complex scenarios involving controllers and processors, alone or jointly, with different degrees of autonomy and responsibility. Understanding these differences is a crucial step in the compliance program since it will affect your responsibilities under the GDPR.
What is the main difference between a data controller and a data processor? Why are those differences important, and what are the responsibilities of each role under the EU General Data Protection Regulation (GDPR)?
Understanding these differences is crucial in the compliance program since it will affect your responsibilities under the GDPR.
Who is a Data Controller?
A Data Controller is a natural person, legal entity, organization, company, agency, or any other institution that, alone or jointly with other data controllers, defines the purpose and means of personal data processing.
Bear in mind that the Member States can also determine additional specific criteria about who can be considered a controller.
Despite the fact that GDPR describes the controller in these broad terms, the WP29 Opinion on the concepts of “controller” and “processor” recognized 3 main building blocks when it comes to defining who is the data controller:
Data Controller is the one who determines the purpose of the processing and the means of data processing (not the data processor), and that is why the controller bears a majority of responsibilities and obligations under the GDPR.
Who is the Data Processor
Data Processor is the legal or natural person, organization, agency, authority, or institution that processes personal data on behalf of the controller.
Usually, the data processor is a third-party company chosen by the data controller to process the data. The Data Processor does not own the data, does not define the purpose of the processing or the means by which data will be used, and answers to the data controller.
As the WP29 elaborates, the existence of a data processor depends on decisions taken by the controller, who can decide either to process data within his organization or to delegate all or part of the processing activities to an external organization.
Two basic conditions for qualifying as a processor are being a separate legal entity with respect to the controller and processing personal data on his behalf.
Joint Controller
When two or more entities, organizations, or companies jointly determine the purpose and means of processing, GDPR considers them to be joint controllers.
As a joint controller, you should determine individual responsibilities for compliance with the GDPR obligations in a transparent manner.
In particular, regarding exercising the rights of the data subject and the duty to provide the information referred to in Article 13 and Article 14.
However, each controller remains responsible for complying with all the obligations under the GDPR.
Obligations of a Data Controller
Recommended by LinkedIn
As a data controller, you are obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR or any other data protection law.
The Data Controller is also responsible for fulfilling the data subject requests regarding their personal information.
However, data subjects can file a complaint and ask for compensation from both the data controller and the data processor.
The controller is responsible for the safekeeping of data, defining data retention and data removal policies, maintaining the records of processing activities, and also carries legal responsibility for a data breach.
The Data Controller is accountable for data processing done by the processor and needs to ensure there are agreements, contracts, and other measures to ensure GDPR-compliant personal data processing.
Obligations of Data Processor
When processing is carried out on behalf of a controller, a processor is obligated to provide acceptable guarantees for technical and organizational measures to ensure compliance and the protection of data subject rights.
The processor will conduct data processing only when there is a documented instruction from the controller.
As a processor, you should assist the controller in ensuring compliance with security requirements.
This includes notifying supervisory authority and data subjects about a data breach while taking into account the nature of processing and the information available.
The processor should not engage another processor without the specific written authorization of the controller.
However, if the processor obtains such authorization, the new processor will have the same obligations, especially when implementing appropriate technical and organizational measures. The initial processor will be considered fully accountable if the other processor fails.
The Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.
A processor may be more or less involved in the processing, but the main differentiator is that the controller determines the overall purpose of the processing.
Controller-Processor Contract
It is very important to clearly determine the obligations of both the controller and the processor.
That is why GDPR stipulates that the relationship between the controller and the processor should be governed by a contract or other legal act under Union or Member State law.
The contract binds the processor and sets out the subject matter and duration of the processing, nature, and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller – Article 28(3)