What is the main difference between a data controller and a data processor? Why are those differences important, and what are the responsibilities for each role under the EU General Data Protection Regulation (GDPR)?
There is still a bit of confusion in understanding the essential differences between the data controller and the data processor.
We will compare those roles in order to truly understand what your obligations are and ensure you achieve GDPR compliance.
Understanding these differences is crucial in the compliance program since it will affect your responsibilities under the GDPR.
Who is a Data Controller?
Data Controller is a natural person, legal entity, organization, company, agency, or any other institution that alone or jointly with other controllers define the purpose and means of personal data processing.
Remember that the Member States can also determine additional specific criteria about who can be considered a controller.
Despite the fact that GDPR describes the controller in these broad terms, the WP29 Opinion on the concepts of “controller” and “processor” recognized 3 main building blocks when it comes to defining who is the data controller:
- the personal aspect (“the natural or legal person, public authority, agency or any other body”)
- the possibility of pluralistic control (“which alone or jointly with others”)
- the essential elements to distinguish the controller from others (“determines the purposes and the means of the processing of personal data”)
Data Controller is the one who determines the purpose and means of the processing (not the processor).
That is why the controller holds a majority of responsibilities and obligations under the GDPR.
Who is Data Processor
Data Processor is the legal or natural person, organization, agency, authority, or institution which processes personal data on behalf of the controller.
Usually, the data processor is a third-party company chosen by the data controller to process the data.
Data Processor does not own the data, does not define the purpose of the data processing activity or the means in which data will be used, and answers to the data controller.
As the WP29 elaborates, the existence of a data processor depends on decisions taken by the controller. The controller can decide either to process data within the organization or to delegate processing activities to an external organization.
Two basic conditions for qualifying as a processor are a separate legal entity with respect to the controller and processing personal data on his behalf.
In a situation where there are two or more entities, organizations, or companies that jointly determine the purpose and means of processing, GDPR considers them to be joint controllers.
As a joint controller, you should determine individual responsibilities for compliance with the GDPR obligations in a transparent manner.
In particular, regarding the exercising of the rights of the data subject and the duty to provide the information referred to in Article 13 and Article 14.
However, each controller remains responsible for complying with all the obligations under the GDPR.
The 2019 Annual EDPB report stated that stakeholders stressed the changed business context for data sharing and highlighted difficulties when incorporating practical duties in contracts.
They suggested there should be more clarification regarding the criteria for determining whether the relationship qualifies as joint controllership.
Obligations of a Data Controller
- Ensuring that the proper lawful basis is defined,
- Providing information to the data subjects,
- Carrying out DPIA (data protection impact assessment),
- Resolving data subject requests
- Ensuring proper handling and security of the data
- Defining data retention and data removal policies
As a data controller, you are obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR or any other data protection law.
Data Controller is also responsible for fulfilling the data subject requests regarding their personal information.
However, data subjects can file a complaint and ask for compensation from both the data controller and data processor.
The controller is responsible for the safekeeping of data, defining data retention and data removal policies, maintaining the records of processing activities, and also carries the legal responsibility for a data breach.
Data Controller is accountable for data processing done by the processor and needs to ensure there are agreements, contracts, and other measures to ensure GDPR compliant personal data processing.
Obligations of Data Processor
- Implementing security measures (pseudonymization or encryption)
- Notifying data controller if there is a data breach
- Ensuring compliance with the rules of international data transfer
When processing is carried out on behalf of a controller, a processor is obligated to provide acceptable guarantees for technical and organizational measures to ensure compliance and the protection of data subject rights.
The processor will conduct data processing only when there is a documented instruction from the controller.
As a processor, you should assist the controller in ensuring compliance with security requirements.
This includes notifying supervisory authority and data subjects about a data breach while taking into account the nature of processing and the information available.
The processor should not engage another processor without the specific written authorization of the controller.
However, if the processor obtains such authorization, the new processor will have the same obligations, especially when it comes to implementing appropriate technical and organizational measures. If the other processor fails, the initial processor will be considered fully accountable.
Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.
A processor may be more or less involved in the processing, but the main differentiator is the fact the controller determines the overall purpose of the processing.
It is very important to clearly determine what are the obligations of both controller and the processor.
That is why GDPR stipulates that the relationship between the controller and the processor should be governed by a contract or other legal act under Union or Member State law.
The contract binds the processor and sets out the subject matter and duration of the processing, nature, and purpose of the processing, the type of personal data, categories of data subjects, and the obligations and rights of the controller. (Article 28(3))
Example of processor/controller relationship
There are many complex scenarios involving controllers and processors in real-life situations, alone or jointly, with different degrees of autonomy and responsibility.
It can be challenging to understand what are your obligations.
For example, If the Internet Service Provider provides maintenance and hosting for other websites, it is clear that the ISP is a data processor because it only provides the service or platform for other businesses.
Website owners determine what will be the purpose of their websites and the processing they are doing on their websites.
However, if the ISP takes the data collected and then processes it for their own purpose, then they are the data controller.
Always look at the purpose and meaning of the processing and on whose behalf the processing is done.
- Data Controller determines the purpose and the meaning of data processing, not the Processor.
- Data Processor acts on Data Controller instructions, and although can make a certain decision about the way the processing will be done, has limited control over data.
- Data Processor has no reason to process that particular set of data on his own
- Data Processor and Data Controller have a different set of responsibilities.