Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Difference between Data Controller and Data Processor

What is the main difference between a data controller and a data processor? Why are those differences important, and what are the responsibilities of each role under the EU General Data Protection Regulation (GDPR)?

There is still a bit of confusion in understanding the essential differences between the data controller and the data processor.

We will compare those roles in order to truly understand what your obligations are and ensure you achieve GDPR compliance.

Understanding these differences is crucial in the compliance program since it will affect your responsibilities under the GDPR.

Who is a Data Controller?

A Data Controller is a natural person, legal entity, organization, company, agency, or any other institution that, alone or jointly with other controllers, defines the purpose and means of personal data processing.

Remember that the Member States can also determine additional specific criteria about who can be considered a controller.

Despite the fact that GDPR describes the controller in these broad terms, the WP29 Opinion on the concepts of “controller” and “processor” recognized 3 main building blocks when it comes to defining who is the data controller:

building blocks when defining who is the data controller

  • the personal aspect (“the natural or legal person, public authority, agency or any other body”)
  • the possibility of pluralistic control (“which alone or jointly with others”)
  • the essential elements to distinguish the controller from others  (“determines the purposes and the means of the processing of personal data”)

The Data Controller is the one who determines the purpose and means of the processing (not the processor).

That is why the controller holds a majority of responsibilities and obligations under the GDPR.

Who is the Data Processor

Data Processor is the legal or natural person, organization, agency, authority, or institution that processes personal data on behalf of the controller.

Usually, the data processor is a third-party company chosen by the data controller to process the data.

The Data Processor does not own the data, does not define the purpose of the data processing activity or how data will be used, and answers to the data controller.

As the WP29 elaborates, the existence of a data processor depends on decisions taken by the controller. The controller can decide either to process data within the organization or to delegate processing activities to an external organization.

Two basic conditions for qualifying as a processor are a separate legal entity concerning the controller and processing personal data on his behalf.

Two basic conditions for qualifying as a data processor

Joint Controller

When two or more entities, organizations, or companies jointly determine the purpose and means of processing, GDPR considers them to be joint controllers.

As a joint controller, you should determine individual responsibilities for compliance with the GDPR obligations in a transparent manner.

In particular, regarding exercising the rights of the data subject and the duty to provide the information referred to in Article 13 and Article 14.

However, each controller remains responsible for complying with all the obligations under the GDPR.

Obligations of a Data Controller

As a data controller, you are obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR or any other data protection law.

The Data Controller is also responsible for fulfilling the data subject requests regarding their personal information.

However, data subjects can file a complaint and ask for compensation from both the data controller and the data processor.

The controller is responsible for the safekeeping of data, defining data retention and data removal policies, maintaining the records of processing activities, and also carries legal responsibility for a data breach.

The Data Controller is accountable for data processing done by the processor and needs to ensure there are agreements, contracts, and other measures to ensure GDPR-compliant personal data processing.

Obligations of Data Processor

  • Implementing security measures  (pseudonymization or encryption)
  • Record-keeping
  • Notifying the data controller if there is a data breach
  • Ensuring compliance with the rules of international data transfer

When processing is carried out on behalf of a controller, a processor is obligated to provide acceptable guarantees for technical and organizational measures to ensure compliance and the protection of data subject rights.

The processor will conduct data processing only when there is a documented instruction from the controller.

As a processor, you should assist the controller in ensuring compliance with security requirements.

This includes notifying supervisory authority and data subjects about a data breach while taking into account the nature of processing and the information available.

The processor should not engage another processor without the specific written authorization of the controller.

However, if the processor obtains such authorization, the new processor will have the same obligations, especially when implementing appropriate technical and organizational measures. The initial processor will be considered fully accountable if the other processor fails.

The Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.

A processor may be more or less involved in the processing, but the main differentiator is that the controller determines the overall purpose of the processing.

Controller-Processor Contract

It is very important to clearly determine the obligations of both the controller and the processor.

That is why GDPR stipulates that the relationship between the controller and the processor should be governed by a contract or other legal act under Union or Member State law.

The contract binds the processor and sets out the subject matter and duration of the processing, nature, and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller – Article 28(3)

Example of processor/controller relationship

Many complex scenarios involve controllers and processors in real-life situations, alone or jointly, with different degrees of autonomy and responsibility.

It can be challenging to understand what your obligations are.

For example, If the Internet Service Provider provides maintenance and hosting for other websites, it is clear that the ISP is a data processor because it only provides the service or platform for other businesses.

Website owners determine the purpose of their websites and the processing they are doing on their websites.

However, if the ISP takes the data collected and processes it for their own purpose, they are the data controller.

Key takeaways

Always look at the purpose and meaning of the processing and on whose behalf the processing is done.

  • The Data Controller, not the Processor, determines the purpose and the meaning of data processing.
  • Data Processor acts on Data Controller instructions, and although it can make a certain decision about how the processing will be done, it has limited control over data.
  • Data Processor has no reason to process that particular set of data on his own
  • Data Processors and data controllers have different sets of responsibilities.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top