The terms data controller and data processor are fundamental to the General Data Protection Regulations (GDPR).
Because they are often used interchangeable, it can be confusing to keep track of the data protection and privacy duties and responsibilities assigned to each role by the GDPR and the Data Protection Act 2018 (DPA 2018). This can lead to an unintentional GDPR breach which may result in a heavy fine and reputational damage.
Although data protection and privacy law compliance may seem unimportant, understanding is vital to ensure you are not breaking the law.
Continue reading to discover the key differences between a data controller and a data processor.
What is a data controller?
A data controller is a "natural or legal person, public authority, agency or other body which, alone or with others, determines the purposes and means of processing personal data", as stated in the GDPR law.
A controller decides on the data processing issues of what, why, and how.
What is a data processor?
A processor is "a natural or legal person, public authority, agency or other body which processes personal information on behalf of the controller", as defined in the GDPR.
A processor is a separate legal entity from the controller, and they process data on behalf of the controller and have no purpose of their own for processing the data.
How can I tell the difference between a data controller and a data processor?
It can be tricky. Below are some questions created by the ICO that can help businesses to ascertain whether they are a data controller or a data processor.
You are likely to be a data controller if you:
- are the organisation that collects the data in the first instance and has the legal basis for which to do so
- decide what the personal data is to be used for
- decide whether to disclose the data and if so, who to
- decide whether subject access and other individuals’ rights apply or whether there are exemptions
- choose how long to retain the data or whether to amend the data in a way that is not routine
You are likely to be a data processor if you decide:
- the methods used for personal data collection and storage
- how the data is secured
- the means used to transfer personal data from one organisation to another
- how personal data is retrieved
- the method for ensuring a retention schedule is adhered to
- how personal data is deleted
The above lists are not exhaustive. Broadly, a processor decides on the technical matters concerning the data, but the controller determines what the data is to be used for and it's content.
What is a joint controller?
A joint controller is where two or more controllers work jointly to determine the purposes and means of processing. This may occur in situations where a joint venture is formed or in the initial stages of a company merger.
The GDPR provides for specific duties in the case of joint controllers, including:
- The controllers must establish who is responsible for conducting GDPR compliance obligations such as security measures, breach notifications, and establishing a legal purpose for collecting data. These arrangements must be transparent and available to data subjects
- Each controller is liable for all the damage caused by the processing activities unless it can prove it is not in any way responsible for the event giving rise to the damage
What if my organisation does not fit neatly into the definition of the data controller or data processor?
It is recognised that a grey area exists in which it is almost impossible to determine if a particular organisation is a controller or processor, especially in situations involving complex contracts and large supply chains.
If your business’s position is ambiguous, you must take the following steps to protect your interests in case of a compliance or data breach:
- Make sure that any classifications of a data controller and data processor are documented, alongside the reasons for making the relevant decisions
- Do not base decisions on the contract; instead, look at the facts of the relationship. For example, Article 28(10) of the GDPR states that if a processor decides the purpose and means of the processing, they are, in fact, a controller
- Document any changes to the classifications of controllers and processors and the reason for the changes
- Seek legal advice if you are uncertain about your role in a particular agreement
Get legal assistance from LawBite
Determining whether your business is a data controller or processor can be confusing. Our team of friendly, approachable data protection lawyers can assist you with this and all other data protection and privacy law matters.
LawBite has helped 1000s of businesses achieve their commercial ambitions. To find out how we can help your business to be compliant with GDPR, data protection, and privacy law, book a free 15 minute consultation or call us on 020 3808 8314.
