GDPR Controllers and Processors

Understand GDPR controllers and processors - which is which, but more importantly, which are you?

< Return to GDPR Basics

Are you a GDPR Controller or Processor?

Silhouette of a figure with scales on a gradient background. Text: GDPR, Controllers and Processors, conveying legal responsibilities.

Navigating the complexities of GDPR compliance starts with grasping the difference between controllers and processors. These roles are essential for ensuring accountability and data protection within any organisation.

The distinction boils down to one key question:

Who determines the purpose and means of processing personal data?

Answering this question defines the roles, responsibilities, and compliance requirements under GDPR.

What Is a Controller?

A controller is the primary decision-maker in data processing operations. This entity decides why data is collected and how it will be handled. Controllers bear ultimate responsibility for GDPR compliance, ensuring that data is processed lawfully, fairly, and transparently.

Controllers must also:

  • Implement appropriate technical and organisational measures to safeguard data.
  • Verify that any processors they engage comply with GDPR standards.

Example Scenario

A retail company collects customer data for loyalty programs and marketing campaigns.
The company decides:

  • What data to collect (e.g., names, email addresses, purchase history).
  • How to process the data (e.g., by analysing purchase behaviour for personalised offers).
  • Which tools or systems to use for these activities.

In this case, the retail company is the controller, as it determines both the purpose and method of processing. The responsibility for protecting this data rests with the controller.

What Is a Processor?

A processor acts on behalf of a controller, executing specific tasks without making independent decisions about the data’s purpose. Processors are service providers that help fulfil the controller’s objectives.

While processors have fewer GDPR obligations, they are not exempt from accountability. They must:

  • Maintain stringent data security measures.
  • Report breaches to the controller promptly.
  • Keep records of processing activities.
Example Scenario: The retail company hires an email marketing firm to manage campaigns. The firm:Follows instructions on when and how to send promotional emails.Processes customer data solely for the controller’s purposes.Ensures compliance with GDPR requirements.
Here, the email marketing firm is the processor, as it acts under the controller’s direction without exercising independent control over the data.

Controllers and Processors Examples

Example 1: Small Business and Cloud Storage

A small business uses a cloud storage provider to save customer invoices.

The small business is the controller, deciding what data to upload and why.

The cloud provider, merely hosting the data without making decisions about its use, acts as the processor.

This relationship requires a clear data processing agreement.

Example 2: Healthcare

A hospital collects patient data to provide medical care. It partners with a billing service to handle invoicing.

The hospital is the controller, responsible for deciding how the data is used. The billing service is the processor, executing tasks as instructed. Both must ensure patient data is safeguarded at all times.

Example 3: Joint Controllers

Sometimes, two entities jointly determine the purposes and means of processing. For instance, a travel agency and an airline collaborate to manage customer bookings.

If both agree on how customer data will be used and shared, they are joint controllers, requiring a shared agreement outlining responsibilities under GDPR.

Example 4: Sub-Processors

Processors may engage sub-processors to perform specific tasks. For example, an email marketing firm might use a cloud-based email platform.

In this case, the platform is a sub-processor. The original controller must approve such arrangements and ensure all parties comply with GDPR.

Key Takeaways

  1. Controllers decide why and how data is processed, ensuring compliance with GDPR principles.
  2. Processors follow the controller’s instructions, maintaining robust security measures and accountability.
  3. Data Processing Agreements (DPAs) are essential for defining roles and ensuring compliance.
  4. Joint controllers and sub-processors add complexity, requiring clear agreements to manage responsibilities effectively.

By understanding these roles and implementing robust contracts, organisations can ensure GDPR compliance and build trust with individuals whose data they handle.

Clear communication and adherence to data protection principles form the cornerstone of effective GDPR practices.

FAQs

What’s the difference between a data controller and a data processor?

A data controller decides why and how personal data is processed. A data processor acts on the controller’s instructions and does not make independent decisions about the data. For example, a company using a cloud-based payroll service is the controller, and the payroll provider is the processor.

Can an organisation be both a controller and a processor?

Yes, depending on the context. An organisation may be a controller for one processing activity (e.g. managing employee data) and a processor for another (e.g. handling customer data on behalf of a client). The role depends on who determines the purpose and means of the processing.

What are the legal responsibilities of a data controller under GDPR?

Controllers have the primary responsibility for GDPR compliance. They must ensure there is a lawful basis for processing, issue privacy notices, honour data subject rights, and choose processors that offer adequate data protection guarantees. They are also responsible for reporting data breaches.

What obligations does a data processor have?

Processors must follow the controller’s instructions, keep data secure, assist with audits or data subject requests (where required), and report data breaches promptly. They cannot use the data for their own purposes. GDPR also requires processors to maintain records of processing and sign data processing agreements.

Is a data processing agreement (DPA) mandatory?

Yes. Whenever a controller uses a processor, they must put a written contract in place. This agreement should outline the nature and purpose of processing, duration, types of data, and obligations such as confidentiality, security, and deletion or return of data after processing ends.

Are joint controllers the same as processors?

No. Joint controllers together decide on the purposes and means of processing, sharing responsibility for compliance. In contrast, a processor acts under instruction and doesn’t make decisions about the data’s use. Joint controllers must define their roles clearly in a transparent arrangement.

Previous post

What is the GDPR Personal Data Definition?

NEXT post

How To Handle GDPR Subject Access Requests (SARs)

Photo of author

Written by

Alan Parker

Alan Parker is an experienced IT governance consultant who’s spent over 30 years helping SMEs and IT teams simplify complex IT challenges. With an Honours Degree in Information Systems, ITIL v3 Expert certification, ITIL v4 Bridge, and PRINCE2 Practitioner accreditation, Alan’s expertise covers project management, ISO 27001 compliance, and service management best practices. Recently named IT Project Expert of the Year (2024, UK).

Leave a Comment

Iseo Blue Limited - UK Registered Company Number : 10215427 

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG