Lepide Blog: A Guide to IT Security, Compliance and IT Operations

GDPR Data Controller vs Data Processor

GDPR Data Controller vs Data Processor

Understanding the distinction between a data processor and a data controller is crucial for those beginning their journey with the General Data Protection Regulation (GDPR). The data controller is primarily responsible for collecting and possessing the data, while the data processor is a third-party hired by the controller to process the data. Three definitions from Article 4 of the GDPR provide clarity on these roles. The controller determines the purpose and methods of processing personal data, while the processor carries out data processing on behalf of the controller. Processing involves the collection, organization, storage, use, or disclosure of personal data. If two or more organizations actively determine the processing, they are considered joint controllers under the law.

Difference Between Data Processors and Data Controllers

The data controller provides instructions to the data processor concerning data processing activities. The processor is not allowed to process personal data unless instructed to do so by the controller. If the processor processes personal data unlawfully without instructions, they may be considered a controller themselves. The privacy law specifies certain tasks that the processor must assist the controller with, including providing information necessary to demonstrate compliance. If an instruction violates GDPR, the processor must promptly inform the controller.

Data Controllers

Data controllers are individuals or organizations that have the authority to make decisions regarding the collection and processing of data. They are responsible for determining the purpose and methods of data processing. Some data controllers are required by law to collect and process personal data. This includes private companies, public authorities, and individual persons such as sole traders or self-employed professionals.

Is your company a data controller?

If you provide affirmative answers to the following questions, then your company is a data controller:

  • Did your organization make the decision to collect and handle personal user data?
  • Did your organization determine the purpose for processing the data?
  • Did your organization determine the type of personal data to be collected?
  • Is your organization expected to derive commercial benefits through the data processing, beyond payment for controller services?
  • Did your organization make decisions regarding the users involved as a result of or in connection with the data processing?
  • Are you applying professional judgment in the processing of personal data?
  • Do you have complete control over how the data is processed?
  • Have you enlisted external data processors to handle the data?

What are the duties of a data controller?

Controllers under the GDPR are responsible for ensuring the highest level of compliance. They must prove their adherence to all data protection principles and also ensure that any processors they employ comply with the regulation. Controllers must demonstrate fairness, lawfulness, transparency, accuracy, data minimization, integrity, storage, and confidentiality when handling personal data. In accordance with Article 24 of the GDPR, controllers must consider the purpose, nature, context, and scope of data processing activities, as well as the potential risks to individuals’ freedoms and rights. They are required to implement appropriate organizational, technical, and security measures to demonstrate compliance and regularly review and update these measures as needed. Controllers are obligated to pay a data protection fee, enforced by a data protection officer, unless they qualify for an exemption.

Examples of data controllers

Below are some practical examples of data controllers:

A healthcare provider: A hospital or clinic that collects and processes patient information, including medical records, diagnostic test results, and treatment plans. As a data controller, the healthcare provider must ensure patient data is securely stored, consent is obtained for any processing, and strong data protection measures are in place to safeguard sensitive medical information.

Human Resources department: In organizations, the HR department often acts as a data controller as it collects and stores personal employee data, such as contact details, employment history, bank account information, and performance evaluations. The HR department is responsible for complying with GDPR principles, such as obtaining consent for data processing, providing transparency, and implementing appropriate data protection measures.

Marketing agency: A marketing agency that collects and processes personal data for targeted advertising campaigns, email marketing, or direct mail marketing. As a data controller, the agency must ensure it has obtained proper consent, provide clear opt-out options, and handle data in compliance with GDPR guidelines, such as securely deleting outdated or irrelevant data.

What is a Joint Controller?

Article 26(1) of the General Data Protection Regulation (GDPR) specifies that data controllers can determine the purposes and means of data processing either individually or jointly with another party as joint data controllers. This means that multiple entities can share responsibilities for processing personal data if they have a shared purpose and collectively determine the purpose and means of the processing. To determine if your organization is a joint controller under the GDPR, you should consider factors such as whether you have a shared objective with other companies for the data processing, if you are processing the data for the same reason as another data controller, if you are using the same set of personal data for the processing, and if you are designing the data processing with another data controller, such as using the same database. In the case of joint controllers, they must establish an arrangement among themselves to determine who takes the main responsibility. They also share equal responsibility for any security breaches, and any fines imposed would be divided between them accordingly.

Data Processors

A data processor can be a company, individual, or legal entity who acts on behalf of and under the authority of a data controller. They must follow the instructions of the data controller unless required by law. Data processors can be held accountable for data breaches and must comply with GDPR guidelines to avoid liability. Users can file compensation claims against both data controllers and data processors.

Is your company a data processor?

Answer these questions to determine if your organization is a processor under GDPR:

  • Are you processing personal data on behalf of someone else and following their instructions?
  • Did a third party provide you with the personal data or instruct you on the specific type of data to collect?
  • Did you have no influence in the decision to collect personal data or the type of data being collected?
  • Did you not determine the legal basis for collecting or using the data?
  • Did you not determine the intended use of the data?
  • Did you not make decisions regarding the retention and storage duration of the data?
  • Are you implementing data processing decisions as part of a contractual agreement with another company?
  • Are you not concerned with the overall purpose or outcome of the data processing?

Are employees considered data processors?

Employees of the data controller are considered as part of the controller and not as separate data processors. When they perform their duties within the scope of their employment, they act as representatives of the data controller. Therefore, according to the GDPR, they are not considered as external parties contracted to handle data processing on behalf of the data controller.

What are the duties of a data processor?

Data processors have different legal obligations compared to controllers under the GDPR. They are not required to pay a data protection fee but still have responsibilities under the GDPR. Supervisory authorities such as the ICO can take action against processors for any breaches. Article 28 of the GDPR states that processors must implement appropriate measures to meet the GDPR’s guidelines if they process data based on a controller’s instruction. Processors also have a responsibility to protect the rights of data subjects and should have their own security measures in place. If a data breach occurs, the GDPR allows for fines to be imposed on both the processor and the controller, based on their level of responsibility and the measures they have implemented.

An example of a data processor

One practical example of a GDPR data processor is a cloud service provider. For instance, a company may decide to outsource their data storage and processing to a cloud service provider like Amazon Web Services (AWS) or Microsoft Azure. In this scenario, the company is the data controller, and the cloud service provider is the data processor. The company will store their customer data on the cloud service provider’s platform, and the cloud service provider will process the data according to the company’s instructions. This could include activities like data storage, data backup, analytics, or data migrations. The cloud service provider will also be required to implement appropriate technical and organizational measures to protect the data, maintain records of processing activities, handle data breach notifications, and facilitate the rights of data subjects, such as data access and erasure requests.

What is a sub-processor according to the GDPR?

When a data processor decides to hire another party to assist with data processing, this party is known as a “sub-processor.” According to the GDPR, the processor must have written authorization from the data controller before using a sub-processor. The data processor is still responsible for the sub-processor’s actions and must include the same data protection obligations in the contract with the sub-processor. This contract should define the personal data being processed, how it will be processed, and the data processor’s responsibility for data security and breach notifications.

If you’d like to see how the Lepide Data Security Platform can help you fulfil the core requirements of the GDPR, schedule a demo with one of our engineers.