What is the main difference between a data controller and a data processor? Why are those differences important and what are their responsibilities under the General Data Protection Regulation (GDPR)?

There is still a bit of confusion and uncertainties in understanding the essential differences between the data controller and the data processor. We will compare those roles in order to truly understand what your obligations are.

Understanding these differences is a crucial step in the compliance program since it will affect your responsibilities under the GDPR.

Who is a Data Controller?

Data Controller is a natural person, legal entity, organization, company, agency, or any other institution that alone, or jointly with other data controllers define the purpose and means of personal data processing. Bear in mind that the Member States can also determine additional specific criteria about who can be considered a controller.

Despite the fact that GDPR describes the controller in these broad terms, the WP29 Opinion on the concepts of “controller” and “processor,” recognized 3 main building blocks when it comes to defining who is the data controller:

building blocks when defining who is the data controller

the personal aspect (“the natural or legal person, public authority, agency or any other body”)
the possibility of pluralistic control (“which alone or jointly with others”)
the essential elements to distinguish the controller from others  (“determines the purposes and the means of the processing of personal data”)

Data Controller is the one who determines the purpose of the processing and the means of data processing (not the data processor), and that is why the controller bears a majority of responsibilities and obligations under the GDPR.

Who is Data Processor

Data Processor is the legal or natural person, organization, agency, authority, or institution which processes personal data on behalf of the controller.

Usually, the data processor is a third-party company chosen by the data controller to process the data. Data Processor does not own the data, does not define the purpose of the processing or the means in which data will be used and answers to the data controller.

As the WP29 elaborates, the existence of a data processor depends on decisions taken by the controller, who can decide either to process data within his organization or to delegate all or part of the processing activities to an external organization.

Two basic conditions for qualifying as a processor are being a separate legal entity with respect to the controller and processing personal data on his behalf.

Two basic conditions for qualifying as a data processor

Obligations of a Data Controller

• ensuring that the proper lawful basis is defined,
• providing information to the data subjects,
• carrying out DPIA (data protection impact assessment),
• resolving data subjects’ requests
• ensuring proper handling and security of the data
• defining data retention and data removal policies

As a data controller, you will be obligated to implement appropriate technical and organizational measures to be able to demonstrate that processing is performed in accordance with the GDPR or any other data protection law.

Data Controller is also responsible for fulfilling the data subject requests regarding their personal information. However, data subjects can file a complaint and ask for compensation from both the data controller and data processor.

The controller is responsible for the safekeeping of data, defining data retention and data removal policies, maintaining the records of processing activities and also carries the legal responsibility for a data breach.

Data Controller is held accountable for data processing done by the data processor and needs to ensure there are agreements, contracts and other measures to ensure the GDPR compliant personal data processing done by the data processor.

Obligations of Data Processor

• implementing security measures (e.g., pseudonymization and encryption)
• record-keeping
• notifying data controller if there is a data breach
• ensuring compliance with the rules of international data transfer

When processing is carried out on behalf of a controller, a processor is obligated to provide acceptable guarantees for technical and organizational measures required by the GDPR and ensure the protection of the rights of the data subject.

The processor will conduct data processing only when there is a documented instruction from the controller.

As a processor, you should assist the controller in ensuring compliance with security requirements, notifying supervisory authority and data subjects about a data breach (Articles 32 to 36), taking into account the nature of processing and the information available.

The processor should not engage another processor without the specific written authorization of the controller.

However, if the processor obtains such authorization, the new processor will have the same obligations, especially when it comes to implementing appropriate technical and organizational measures. If the other processor fails, the initial processor will be considered fully accountable.

Data Processor is responsible for creating and implementing processes that enable the data controller to gather data, store the data, and transfer it if necessary.

A processor may be more or less involved in the processing, but the main differentiator is the fact the overall purpose of the processing is determined by the controller.

Joint Controller

In a situation where there are two or more entities, organizations or companies that jointly determine the purpose and means of processing, GDPR considers them to be joint controllers.

As a joint controller, you should determine individual responsibilities for compliance with the GDPR obligations in a transparent manner.

In particular, regarding the exercising of the rights of the data subject and the duty to provide the information referred to in Articles 13 and 14. However, each controller remains responsible for complying with all the obligations under the GDPR.

The 2019 Annual EDPB report stated that stakeholders stressed the changed business context for data sharing and highlighted difficulties when incorporating practical duties in contracts. They suggested there should be more clarification regarding the criteria for determining whether the relationship qualifies as joint controllership.

Controller-Processor Contract

It is very important to clearly determine what the obligations of both controller and the processor are. That is why GDPR stipulates that the relationship between the controller and the processor should be governed by a contract or other legal act under Union or Member State law.

The contract binds the processor and sets out the subject-matter and duration of the processing, nature, and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. (Article 28(3))

Difference between processor and controller -example

In real-life situations, there are many complex scenarios involving controllers and processors, alone or jointly, with different degrees of autonomy and responsibility.

It can be challenging to understand what are your obligations.

For example, If the ISP provides maintenance and hosting service for other websites it is clear that the ISP is a data processor, because it only provides the service or platform for other businesses, while website owners determine what will be the purpose of their websites and processing they are doing on their websites. However, if the ISP takes the data collected and then process it for their own purpose, then they are becoming data controller.

Always look at the purpose and meaning of the processing and in whose behalf the processing is done.

✅ Data Controller determines the purpose and the meaning of data processing, not the Data Processor
✅ Data Processor acts on Data Controller instructions, and although can make a certain decision about the way the processing will be done, has limited control over data
✅ Data Processor has no reason to process that particular set of data on his own
✅ Data Processor and Data Controller have a different set of responsibilities